[Plugin maintainers] change to alert() helper, action needed


Previously, the alert() helper would consider any text passed to it as
html_safe. This led to a CVE, where user provided data was passed into the
text field of the alert, leading to a possible stored XSS (cross site
scripting) vulnerability.
https://github.com/theforeman/foreman/pull/3996 was merged to fix this CVE,
considering any text passed to the helper as unsafe by default and escaping
If you need to include HTML in the field text, please mark it as html_safe
before passing to the helper, and make sure to properly escape any possible
user input in it.
For some examples, take a look at the changes made to core in the merged

ยทยทยท -- Have a nice day, Tomer Brisker Red Hat Engineering