Context-sensitive XSS bugfix.

fatfreecrm · Oct 27, 2018 · 6d60bc8 · 6d60bc8
1 parent 557fe23
commit 6d60bc8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/app/helpers/tags_helper.rb b/app/helpers/tags_helper.rb
@@ -17,7 +17,7 @@ def tags_for_index(model)
       elsif !query.include?(hashtag)
         query += " #{hashtag}"
       end
-      out << link_to_function(tag, "crm.search_tagged('#{query}', '#{model.class.to_s.tableize}')", title: tag)
+      out << link_to_function(tag, "crm.search_tagged('#{escape_javascript(query)}', '#{model.class.to_s.tableize}')", title: tag)
     end
   end