Merge branch 'revert-0a6ee7ce' into 'master'

app/assets/javascripts/notes.js

@@ -1398,7 +1398,7 @@ const normalizeNewlines = function(str) {
       const cachedNoteBodyText = $noteBodyText.html();
 
       // Show updated comment content temporarily
-      $noteBodyText.html(_.escape(formContent));
+      $noteBodyText.html(formContent);
       $editingNote.removeClass('is-editing fade-in-full').addClass('being-posted fade-in-half');
       $editingNote.find('.note-headline-meta a').html('<i class="fa fa-spinner fa-spin" aria-label="Comment is being updated" aria-hidden="true"></i>');
 
@@ -1411,7 +1411,7 @@ const normalizeNewlines = function(str) {
         })
         .fail(() => {
           // Submission failed, revert back to original note
-          $noteBodyText.html(_.escape(cachedNoteBodyText));
+          $noteBodyText.html(cachedNoteBodyText);
           $editingNote.removeClass('being-posted fade-in');
           $editingNote.find('.fa.fa-spinner').remove();
 

changelogs/unreleased/32908-edit-comment.yml

----
-title: Escapes html content before appending it to the DOM
-merge_request:
-author:

spec/javascripts/notes_spec.js

@@ -443,45 +443,6 @@ import '~/notes';
       });
     });
 
-    describe('update comment with script tags', () => {
-      const sampleComment = '<script></script>';
-      const updatedComment = '<script></script>';
-      const note = {
-        id: 1234,
-        html: `<li class="note note-row-1234 timeline-entry" id="note_1234">
-                <div class="note-text">${sampleComment}</div>
-               </li>`,
-        note: sampleComment,
-        valid: true
-      };
-      let $form;
-      let $notesContainer;
-
-      beforeEach(() => {
-        this.notes = new Notes('', []);
-        window.gon.current_username = 'root';
-        window.gon.current_user_fullname = 'Administrator';
-        $form = $('form.js-main-target-form');
-        $notesContainer = $('ul.main-notes-list');
-        $form.find('textarea.js-note-text').html(sampleComment);
-      });
-
-      it('should not render a script tag', () => {
-        const deferred = $.Deferred();
-        spyOn($, 'ajax').and.returnValue(deferred.promise());
-        $('.js-comment-button').click();
-
-        deferred.resolve(note);
-        const $noteEl = $notesContainer.find(`#note_${note.id}`);
-        $noteEl.find('.js-note-edit').click();
-        $noteEl.find('textarea.js-note-text').html(updatedComment);
-        $noteEl.find('.js-comment-save-button').click();
-
-        const $updatedNoteEl = $notesContainer.find(`#note_${note.id}`).find('.js-task-list-container');
-        expect($updatedNoteEl.find('.note-text').text().trim()).toEqual('');
-      });
-    });
-
     describe('getFormData', () => {
       it('should return form metadata object from form reference', () => {
         this.notes = new Notes('', []);