From 56c8ee0440d8555aa7822d947ba9091c8a791508 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 15 Oct 2017 11:08:46 +0000
Subject: [PATCH] Ensure that values of multi-value fields are HTML-escaped in
 issue list (#27186).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@16984 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/helpers/queries_helper.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb
index acab44536c8..a4c3c3e7b3f 100644
--- a/app/helpers/queries_helper.rb
+++ b/app/helpers/queries_helper.rb
@@ -201,7 +201,8 @@ def column_header(query, column, options={})
   def column_content(column, item)
     value = column.value_object(item)
     if value.is_a?(Array)
-      value.collect {|v| column_value(column, item, v)}.compact.join(', ').html_safe
+      values = value.collect {|v| column_value(column, item, v)}.compact
+      safe_join(values, ', ')
     else
       column_value(column, item, value)
     end