Skip to content

Add html_escape to some externalized strings

What does this MR do and why?

Related to #374091 (comment 1108087305). Instead of html_safe (marks a string as trusted), use html_escape (sanitizes strings) on externalized strings to improve security.

Screenshots or screen recordings

No visual changes

How to set up and validate locally

  1. visit the modified pages:
    • <gitlab>/-/profile/gpg_keys
      • Sample GPG key
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      mDMEWZz/eRYJKwYBBAHaRw8BAQdAbEtu3px60L3UMgZK2uU7FRUDCaz4v+1uHTkK
      PGu2LQy0HnRlc3QgbmFtZSA8dGVzdGVtYWlsQHRlc3QuY29tPoiQBBMWCgA4FiEE
      0+eu7gj8Pykrh9fQTupXY000+ZMFAlmc/3kCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
      HgECF4AACgkQTupXY000+ZNnXwEAnUIBdOIZS1GAA6Qua3XhqI8MBeRO5cLTm1Li
      em2SjsAA/0m/ggFo8A0kCKOtx//dsThLG7fP+txlNv1yNRQhTtEM
      =CtOq
      -----END PGP PUBLIC KEY BLOCK-----
    • <group>/-/settings/access_tokens
    • <group>/-/settings/ci_cd

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading