Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'

Escape HTML nodes in builds commands in ci linter

This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.

Closes #22541

See merge request !2001

app/views/ci/lints/_create.html.haml

@@ -16,8 +16,7 @@
             %tr
               %td #{stage.capitalize} Job - #{build[:name]}
               %td
-                %pre
-                  = simple_format build[:commands]
+                %pre= build[:commands]
 
                 %br
                 %b Tag list:

spec/views/ci/lints/show.html.haml_spec.rb

+require 'spec_helper'
+
+describe 'ci/lints/show' do
+  include Devise::TestHelpers
+
+  before do
+    assign(:status, true)
+    assign(:stages, %w[test])
+    assign(:builds, builds)
+  end
+
+  context 'when builds attrbiutes contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: '<h1>rspec</h1>' } ]
+    end
+
+    it 'does not render HTML elements' do
+      render
+
+      expect(rendered).not_to have_css('h1', text: 'rspec')
+    end
+  end
+
+  context 'when builds attributes do not contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: 'rspec' } ]
+    end
+
+    it 'shows configuration in the table' do
+      render
+
+      expect(rendered).to have_css('td pre', text: 'rspec')
+    end
+  end
+end