[ci skip]

Fix Live Comment XSS Vulnerability for 9.4

See merge request gitlab/gitlabhq!2189

[9.4] Merge branch 'fix/gem-security-updates' into 'master'

See merge request gitlab/gitlabhq!2182

[9.4] Prevent a persistent XSS in the commit author block

See merge request gitlab/gitlabhq!2187

We now make use of the `content_tag` helper so that the untrusted input
is escaped and the trusted output is then automatically safe. When we
don't need to wrap the name in a `span` tag (when `avatar` is falsey),
it's treated as unsafe by default, so no further sanitization/escaping
is necessary.

Upgrade mail and nokogiri gems due to security issues

See merge request !13662

[9.4] Limit `style` attribute on `th` and `td` elements to specific properties

See merge request gitlab/gitlabhq!2167

[9.4] Prevent project creation (blank, import or fork) when repository already exists on disk

See merge request gitlab/gitlabhq!2171

[9.4] Disallow the `name` attribute on all user-provided markup

See merge request gitlab/gitlabhq!2173

Fixes the User Selection Display (9.5)

See merge request gitlab/gitlabhq!2177

Do not use `location.pathname` when accessing environments folders

See merge request !2147

Fix XSS issue in go-get handling

See merge request !2128

There are some redundancies in the validation steps, and that is to
preserve current error messages behavior

Also few specs have to be changed in order to fix madness in validation
logic.

Update GitLab Pages (9.4)

See merge request !2158

A malicious user was able to do something like

    <img src="" name="getElementById">

to override the `document.getElementById` method, which would result in
JavaScript errors being thrown.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/36104

Add missing guidelines for i18n setup

See merge request !13541

Previously we whitelisted the entire `style` attribute on `th` and `td`
elements, in order to allow Markdown table alignment to work. But this
opened us up to a potential exploit by allowing a malicious user to
define properties besides `text-align` in the attribute.

We now remove everything except `text-align: (center|left|right)`.

[ci skip]

Unable to find css "h1.project-title" in spec/features/profiles/account_spec.rb:46
Unable to find css "h1.project-title" in spec/features/profiles/account_spec.rb:53
Failure/Error: expect(recorded.count).to be_within(1).of(57) in spec/serializers/pipeline_serializer_spec.rb:113
Metrics/AbcSize: Assignment Branch Condition size is too high in app/controllers/admin/projects_controller.rb:5

Fix displaying specific error message when Jenkins test fails

See merge request !13510

Do not run the `ee_compat_check` job for stableish branches

Closes #35131

See merge request !13497

Fix conflicting redirect search

See merge request !13357

Render new issue link in failed job as a regular link instead of a UJS one

Closes #36158

See merge request !13450

Include RE2 in the upgrade docs

See merge request !13448

Merge branch '35052-please-select-a-file-when-attempting-to-upload-or-replace-from-the-ui' into 'master'

Resolve "'Please select a file' when attempting to upload or replace from the UI"

Closes #35052

See merge request !12863

Pending delete projects no longer return 500 error in Admins projects view

Closes #35435

See merge request !13389

Fix "Cannot connect to CI server error messages"

Closes #34547

See merge request !13252