From 36c02a29291f37aba1c087f923c0b2050224cedb Mon Sep 17 00:00:00 2001
From: Simon Heather <32168619+X-Guardian@users.noreply.github.com>
Date: Thu, 7 Nov 2024 23:48:30 +0000
Subject: [PATCH] Fix code scanning alert no. 12: Reflected cross-site
 scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Simon Heather <32168619+X-Guardian@users.noreply.github.com>
---
 server/controllers/events/events_controller.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/controllers/events/events_controller.go b/server/controllers/events/events_controller.go
index b2687182ff..3d0e97cbc7 100644
--- a/server/controllers/events/events_controller.go
+++ b/server/controllers/events/events_controller.go
@@ -16,6 +16,7 @@ package events
 import (
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"net/http"
 	"strings"
@@ -178,7 +179,7 @@ func (e *VCSEventsController) handleGithubPost(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	githubReqID := "X-Github-Delivery=" + r.Header.Get("X-Github-Delivery")
+	githubReqID := "X-Github-Delivery=" + html.EscapeString(r.Header.Get("X-Github-Delivery"))
 	logger := e.Logger.With("gh-request-id", githubReqID)
 	scope := e.Scope.SubScope("github_event")