Discovered 11 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/sherlock/queries/_general.html.haml:39

highlight("#{Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).id}.sql", Gitlab::Sherlock.collection.find_transaction(params[:transaction_id]).find_query(params[:id]).formatted_query, :language => "sql")

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/sherlock/queries/_general.html.haml or mark it as false positive.