pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted The user information passed to autocompleteFormatter from select2 is the raw data which might contain HTML markup controlled by the user. That could cause XSS issues, already when loading a PR page. To avoid that, make sure autocompleteHighlightMatch always escape user information. That makes the user safe as long as a rogue user isn't selected ...

[tox]
minversion = 1.8
envlist = py{26,27}-pytest

[testenv]
setenv =
    PYTHONHASHSEED = 0
deps =
    -r{toxinidir}/dev_requirements.txt
    py26-pytest: unittest2
    python-ldap
    python-pam
commands =
    pytest: py.test {posargs}