Merge commit from fork

When a view returns an `HttpResponseNotFound` object, the `Content-Type`
header is set to `text/html` by default. Therefore, including external data
(in this case, the request ID) in the output without any escaping or
validation leads to a vulnerability. If an attacker can trick a user into
following a malicious link, they can include HTML elements in the request ID
that execute malicious JavaScript code in the victim's browser. That code
will be able to make requests to the CVAT API with the user's privileges.

The simplest fix for this is to not include variable data in the error
message, which is what I did.

In the long run, I think we need to get rid of these HTML responses,
since it doesn't make sense for a JSON API to return HTML.

changelog.d/20240912_201524_roman_xss_requests.md

@@ -0,0 +1,4 @@
+### Security
+
+- Fixed an XSS vulnerability in request-related endpoints
+  (<https://github.com/cvat-ai/cvat/security/advisories/GHSA-hp6c-f34j-qjj7>)

cvat/apps/engine/views.py

@@ -3391,7 +3391,7 @@ def retrieve(self, request: HttpRequest, pk: str):
         job = self._get_rq_job_by_id(pk)
 
         if not job:
-            return HttpResponseNotFound(f"There is no request with specified id: {pk}")
+            return HttpResponseNotFound("There is no request with specified id")
 
         self.check_object_permissions(request, job)
 
@@ -3428,7 +3428,7 @@ def cancel(self, request: HttpRequest, pk: str):
         rq_job = self._get_rq_job_by_id(pk)
 
         if not rq_job:
-            return HttpResponseNotFound(f"There is no request with specified id: {pk!r}")
+            return HttpResponseNotFound("There is no request with specified id")
 
         self.check_object_permissions(request, rq_job)