ChangeUpdate: Sanitize all footers

When adding the patch set description field, we didn't remember to
sanitize the footer value, leading to I449eded0. Fix this problem more
generally by sanitizing everything that uses the addFooter method. Leave
comments about things that are appended direclty, to set a good example
for future work.

Change-Id: Icafd0d0d870a6029a28a230d21f40d0e156db427

gerrit-server/src/main/java/com/google/gerrit/server/notedb/ChangeUpdate.java

@@ -600,7 +600,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
     }
 
     if (subject != null) {
-      addFooter(msg, FOOTER_SUBJECT, sanitizeFooter(subject));
+      addFooter(msg, FOOTER_SUBJECT, subject);
     }
 
     if (branch != null) {
@@ -648,6 +648,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
 
     for (Table.Cell<String, Account.Id, Optional<Short>> c : approvals.cellSet()) {
       addFooter(msg, FOOTER_LABEL);
+      // Label names/values are safe to append without sanitizing.
       if (!c.getValue().isPresent()) {
         msg.append('-').append(c.getRowKey());
       } else {
@@ -674,6 +675,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
 
         if (rec.labels != null) {
           for (SubmitRecord.Label label : rec.labels) {
+            // Label names/values are safe to append without sanitizing.
             addFooter(msg, FOOTER_SUBMITTED_WITH)
                 .append(label.status)
                 .append(": ")
@@ -765,7 +767,7 @@ public class ChangeUpdate extends AbstractChangeUpdate {
   private static void addFooter(StringBuilder sb, FooterKey footer, Object... values) {
     addFooter(sb, footer);
     for (Object value : values) {
-      sb.append(value);
+      sb.append(sanitizeFooter(Objects.toString(value)));
     }
     sb.append('\n');
   }