Skip to content

Commit 94f7cfb

Browse files
committed
Ensure that values of multi-value fields are HTML-escaped in issue history (#27186).
Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@16985 e93f8b46-1217-0410-a6f0-8f06a7374b81
1 parent 56c8ee0 commit 94f7cfb

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

Diff for: app/helpers/application_helper.rb

+2-1
Original file line numberDiff line numberDiff line change
@@ -177,7 +177,8 @@ def format_object(object, html=true, &block)
177177
end
178178
case object.class.name
179179
when 'Array'
180-
object.map {|o| format_object(o, html)}.join(', ').html_safe
180+
formatted_objects = object.map {|o| format_object(o, html)}
181+
html ? safe_join(formatted_objects, ', ') : formatted_objects.join(', ')
181182
when 'Time'
182183
format_time(object)
183184
when 'Date'

0 commit comments

Comments
 (0)