Potential Security issue: GitLab does not html-escape commit messages displays
Re-opening still pending security issue as reported here by github user Happy86 and requested by @jvanbaarsen : https://github.com/gitlabhq/gitlabhq/issues/6549#issuecomment-167524591
It seems like commit messages are not or not properly escaped when displayed in GitLab.
I have not tried injecting JavaScript yet but things like
ä
are shown as 'ä' if GitLab displays the commit message.
Issue was still present in 7.14 as commented by @razer6 on Github.