Don't use raw output in timelog (#27186).

git-svn-id: http://svn.redmine.org/redmine/trunk@16983 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/views/timelog/_list.html.erb b/app/views/timelog/_list.html.erb
index 21115dfde25c5ebbcd28d0c8ebbc1040162eaceb..6f126b0f7a04bf5904fa52a52edb4d4638da0b1e 100644 (file)
--- a/app/views/timelog/_list.html.erb
+++ b/app/views/timelog/_list.html.erb
@@ -33,7 +33,9 @@
   <% end %>
   <tr id="time-entry-<%= entry.id %>" class="time-entry <%= cycle("odd", "even") %> hascontextmenu">
     <td class="checkbox hide-when-print"><%= check_box_tag("ids[]", entry.id, false, :id => nil) %></td>
-    <%= raw @query.inline_columns.map {|column| "<td class=\"#{column.css_classes}\">#{column_content(column, entry)}</td>"}.join %>
+    <% @query.inline_columns.each do |column| %>
+    <%= content_tag('td', column_content(column, entry), :class => column.css_classes) %>
+    <% end %>
     <td class="buttons">
     <% if entry.editable_by?(User.current) -%>
         <%= link_to l(:button_edit), edit_time_entry_path(entry),