Ensure that values of multi-value fields are HTML-escaped in issue history (#27186).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 15 Oct 2017 11:09:43 +0000 (11:09 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 15 Oct 2017 11:09:43 +0000 (11:09 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 15 Oct 2017 11:09:43 +0000 (11:09 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 15 Oct 2017 11:09:43 +0000 (11:09 +0000)
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb

index cb0c2771568fede65657d2ce9e45e1bd10f99015..ef229f955388fc1786ea5266810165313e259c3f 100644 (file)
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -177,7 +177,8 @@ module ApplicationHelper
      end
      case object.class.name
      when 'Array'
-      object.map {|o| format_object(o, html)}.join(', ').html_safe
+      formatted_objects = object.map {|o| format_object(o, html)}
+      html ? safe_join(formatted_objects, ', ') : formatted_objects.join(', ')
      when 'Time'
        format_time(object)
      when 'Date'
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 15 Oct 2017 11:09:43 +0000 (11:09 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 15 Oct 2017 11:09:43 +0000 (11:09 +0000)