At several places throughout the codebase, we use homemade, half-baked HTML escaping like errors.html_format. It’s probably better to use html.escape everywhere instead, probably with quote=True in most (all?) places.
No due date set.
This issue currently doesn't have any dependencies.
Deleting a branch is permanent. It CANNOT be undone. Continue?