What steps will reproduce the problem?
1. Open a change that contains HTML in the commit summary
2. See the commit summary not escaping and rather rendering its HTML
What is the expected output? What do you see instead?
HTML output (at the very least < and >) should be replaced with their HTML entities.
If you don't trust everyone who writes code in your system, this is a potential XSS
What version of the product are you using? On what operating system?
1.2.1-GO on Ubuntu 12.04, behind Apache reverse proxy
Please provide any additional information below.
Compare the following two URLs:
Reported by firstname.lastname@example.org on 2013-05-15 16:50:33
The text was updated successfully, but these errors were encountered: