Merge branch 'prevent-html-injection' into 'master'

Prevent html injection

Commits page renders commit description with single_format method which allows html tags. So commit message with html tags brokers Commits page. See screenshot

![Screenshot 2014-07-10 11.16.40](https://dev.gitlab.org/uploads/gitlab/gitlabhq/6606e1bac0/Screenshot_2014-07-10_11.16.40.png)

See merge request !959

2 files changed, 12 insertions, 3 deletions

diff --git a/app/assets/stylesheets/sections/commits.scss b/app/assets/stylesheets/sections/commits.scss
index f00d024f389..9b148390115 100644
--- a/app/assets/stylesheets/sections/commits.scss
+++ b/app/assets/stylesheets/sections/commits.scss
@@ -177,10 +177,18 @@ li.commit {
 
   .commit-row-description {
     font-size: 14px;
-    border-left: 1px solid #e5e5e5;
-    padding: 0 15px 0 7px;
+    border-left: 1px solid #EEE;
+    padding: 10px 15px;
     margin: 5px 0 10px 5px;
+    background: #f9f9f9;
     display: none;
+
+    pre {
+      border: none;
+      background: inherit;
+      padding: 0;
+      margin: 0;
+    }
   }
 
   .commit-row-info {
diff --git a/app/views/projects/commits/_commit.html.haml b/app/views/projects/commits/_commit.html.haml
index 5adb6b9e3b1..abe0d4cff46 100644
--- a/app/views/projects/commits/_commit.html.haml
+++ b/app/views/projects/commits/_commit.html.haml
@@ -22,7 +22,8 @@
 
   - if commit.description?
     .commit-row-description.js-toggle-content
-      = simple_format(commit.description)
+      %pre
+        = commit.description
 
   .commit-row-info
     = commit_author_link(commit, avatar: true, size: 16)