Hello,
Previously, the alert() helper would consider any text passed to it as
html_safe. This led to a CVE, where user provided data was passed into the
text field of the alert, leading to a possible stored XSS (cross site
scripting) vulnerability.
https://github.com/theforeman/foreman/pull/3996 was merged to fix this CVE,
considering any text passed to the helper as unsafe by default and escaping
it.
If you need to include HTML in the field text, please mark it as html_safe
before passing to the helper, and make sure to properly escape any possible
user input in it.
For some examples, take a look at the changes made to core in the merged
commit.