Discovered 9 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak


Unescaped parameter value



serialize_issuable(merge_request_includes(find_routable!(Project, File.join(params[:namespace_id], (params[:project_id] or params[:id])), :extra_authorization_proc => (lambda do
 (not project.pending_delete?)
 end)).merge_requests).find_by_iid!(params[:id]), :serializer => "widget", :issues_links => true)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/projects/merge_requests/_widget.html.haml or mark it as false positive.