From: Go MAEDA <maeda@farend.jp>
Date: Fri, 19 Mar 2021 04:37:46 +0000 (+0000)
Subject: Merged r20827 from trunk to 4.1-stable (#33846).
X-Git-Tag: 4.1.2~2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=35f5165c2dfc0364514541d38840e12024e2bc91;p=redmine.git

Merged r20827 from trunk to 4.1-stable (#33846).


git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@20828 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index c1b1c7c71..e2cd3d1b7 100644
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -8,6 +8,12 @@ $.ajaxPrefilter(function (s) {
   }
 });
 
+function sanitizeHTML(string) {
+  var temp = document.createElement('span');
+  temp.textContent = string;
+  return temp.innerHTML;
+}
+
 function checkAll(id, checked) {
   $('#'+id).find('input[type=checkbox]:enabled').prop('checked', checked);
 }
@@ -1062,6 +1068,9 @@ function inlineAutoComplete(element) {
       requireLeadingSpace: true,
       selectTemplate: function (issue) {
         return '#' + issue.original.id;
+      },
+      menuItemTemplate: function (issue) {
+        return sanitizeHTML(issue.original.label);
       }
     });
 
diff --git a/test/system/inline_autocomplete_test.rb b/test/system/inline_autocomplete_test.rb
index 7d557f4c6..04bf0dd0c 100644
--- a/test/system/inline_autocomplete_test.rb
+++ b/test/system/inline_autocomplete_test.rb
@@ -129,4 +129,17 @@ class InlineAutocompleteSystemTest < ApplicationSystemTestCase
 
     page.has_css?('.tribute-container li', minimum: 1)
   end
+
+  def test_inline_autocomplete_for_issues_should_escape_html_elements
+    issue = Issue.generate!(subject: 'This issue has a <select> element', project_id: 1, tracker_id: 1)
+
+    log_user('jsmith', 'jsmith')
+    visit 'projects/1/issues/new'
+
+    fill_in 'Description', :with => '#This'
+
+    within('.tribute-container') do
+      assert page.has_text? "Bug ##{issue.id}: This issue has a <select> element"
+    end
+  end
 end