pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted The user information passed to autocompleteFormatter from select2 is the raw data which might contain HTML markup controlled by the user. That could cause XSS issues, already when adding rogue users as reviewers on a PR. To avoid that, make sure select2 use the default escapeMarkup function. In addReviewMember, use .html_escape when expanding the reviewer template.

[pytest]
# only look for tests in kallithea/tests
python_files = kallithea/tests/**/test_*.py
addopts =
    # --verbose
    # show extra test summary info as specified by chars (f)ailed, (E)error, (s)skipped, (x)failed, (X)passed, (w)warnings.
    -rfEsxXw
    # Shorter scrollbacks; less stuff to scroll through
    --tb=short