This bug has been introduced in db14e10943aeb87f3a2e06f02ca788986f039077.
You’ve signed the CLA, CvX. Thank you! This pull request is ready for review.
Are we 100% sure that
description is safe?
description here is returned by
Category#description_text that has been updated in this PR to escape unsafe characters. The return value is cached there, but that’s a thread-local cache, so there’s no need to worry about stale/unsafe data.
I see, kinda confusing… Would have been better to call that variable “
Agree. I’m changing that.
This comment removes the automat
html_safe calls regardless of what is being looked up, but the commit seems to focus on description only. Does this mean it’s possible other fields that were previously escaped would no longer be?
It’s actually a duplicate. We’re already calling
Looks good to me