Ensure that values of multi-value fields are HTML-escaped in issue li…

…st (#27186). Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@16984 e93f8b46-1217-0410-a6f0-8f06a7374b81
redmine · Oct 15, 2017 · 56c8ee0 · 56c8ee0
1 parent 1a09764
commit 56c8ee0
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb
@@ -201,7 +201,8 @@ def column_header(query, column, options={})
   def column_content(column, item)
     value = column.value_object(item)
     if value.is_a?(Array)
-      value.collect {|v| column_value(column, item, v)}.compact.join(', ').html_safe
+      values = value.collect {|v| column_value(column, item, v)}.compact
+      safe_join(values, ', ')
     else
       column_value(column, item, value)
     end