From 94f7cfbf990028348b9262578acbc53a94fce448 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 15 Oct 2017 11:09:43 +0000
Subject: [PATCH] Ensure that values of multi-value fields are HTML-escaped in
 issue history (#27186).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@16985 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/helpers/application_helper.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index cb0c27715..ef229f955 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -177,7 +177,8 @@ module ApplicationHelper
     end
     case object.class.name
     when 'Array'
-      object.map {|o| format_object(o, html)}.join(', ').html_safe
+      formatted_objects = object.map {|o| format_object(o, html)}
+      html ? safe_join(formatted_objects, ', ') : formatted_objects.join(', ')
     when 'Time'
       format_time(object)
     when 'Date'
-- 
2.39.5