Don't accidentally mark unsafe diff lines as HTML safe
Fixes potential XSS issue when a legacy diff note is created on a merge
request whose diff contained HTML
See https://gitlab.com/gitlab-org/gitlab-ce/issues/25249
See merge request !2040
Prior, when the user had their view set to "parallel" and then visited a
merge request's changes tab _without_ passing the `view` parameter via
query string, the view would be parallel but the `Notes` class was
always instantiated with the default value from `diff_view` ("inline"),
resulting in broken markup when the form to add a line note was
dynamically inserted.
The cookie is set whenever the view is changed, so this value should
always be up-to-date.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14557
Diffs with a large number of changed lines time out (504 HTTP error) or
generate a HTML page that's so heavy web browsers struggle with it.
https://github.com/gitlabhq/gitlabhq/pull/5014 introduced limits on
commit line count so that only a safe portion is rendered. This was
later undone by code refactoring in be5b6db8, e0eb4803 and c741fcab.
This patch re-introduces a safe limit on number of lines.
