Possible open redirect vulnerability
When uploading an html document that includes a
<script> the attacker can redirect to any website.
This isn't so bad, it just allows datatrash to be used as an unchecked link shortener, which should be avoided.
The fix would be to add a strict CSP to datatrash and make sure that no executable content will be served in such a way that the browser runs it.
Possible CSP fix: Only allow styles/scripts/etc from paths that belong to the application and are not uploaded files
Deleting a branch is permanent. It CANNOT be undone. Continue?