diff --git a/app/views/notify/new_merge_request_email.html.haml b/app/views/notify/new_merge_request_email.html.haml index db23447dd392a7a97cdff7ac7602baa40ac55b13..78de5548dad7c84e259abdcdd9ba4056d1ff425a 100644 --- a/app/views/notify/new_merge_request_email.html.haml +++ b/app/views/notify/new_merge_request_email.html.haml @@ -3,7 +3,7 @@ #{link_to @merge_request.author_name, user_url(@merge_request.author)} created a merge request: %p.details - != merge_path_description(@merge_request, '→') + = merge_path_description(@merge_request, '→') - if @merge_request.assignee_id.present? %p diff --git a/changelogs/unreleased/security-id-email-xss.yml b/changelogs/unreleased/security-id-email-xss.yml new file mode 100644 index 0000000000000000000000000000000000000000..36c00a70c6a702bf1de46f38d9fd6d95457620a8 --- /dev/null +++ b/changelogs/unreleased/security-id-email-xss.yml @@ -0,0 +1,5 @@ +--- +title: Escape path in new merge request mail +merge_request: +author: +type: security