awesome-reviewers/_reviewers/posthog-verify-html-escaping.json

[
  {
    "discussion_id": "2261639125",
    "pr_number": 36339,
    "pr_file": "posthog/templates/email/personal_api_key_exposed.html",
    "created_at": "2025-08-08T01:36:39+00:00",
    "commented_code": "+{% extends \"email/base.html\" %} {% load posthog_assets %} {% load posthog_filters %}\n+{% block heading %}Personal API Key has been deactivated{% endblock %}\n+{% block section %}\n+<p>\n+    Your Personal API Key <strong>{{ label }}</strong> with value <strong>{{ mask_value }}</strong> was publicly exposed.\n+    {% if more_info %}{{ more_info }}{% endif %}",
    "repo_full_name": "PostHog/posthog",
    "discussion_comments": [
      {
        "comment_id": "2261754566",
        "repo_full_name": "PostHog/posthog",
        "pr_number": 36339,
        "pr_file": "posthog/templates/email/personal_api_key_exposed.html",
        "discussion_id": "2261639125",
        "commented_code": "@@ -0,0 +1,21 @@\n+{% extends \"email/base.html\" %} {% load posthog_assets %} {% load posthog_filters %}\n+{% block heading %}Personal API Key has been deactivated{% endblock %}\n+{% block section %}\n+<p>\n+    Your Personal API Key <strong>{{ label }}</strong> with value <strong>{{ mask_value }}</strong> was publicly exposed.\n+    {% if more_info %}{{ more_info }}{% endif %}",
        "comment_created_at": "2025-08-08T01:36:39+00:00",
        "comment_author": "Piccirello",
        "comment_body": "Django templates escape HTML by default when `{{ }}` is used. Also verified that supplying a `more_info` value of `<img src=x />` results in the text being printed, rather than rendered as html.",
        "pr_file_module": null
      }
    ]
  }
]