From c73bc29866197ad5c7c271d5e00d19f093dd7c77 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Tue, 4 Oct 2022 19:01:37 +0000
Subject: [PATCH] Merge r21894 from trunk to 4.2-stable (#37751).

git-svn-id: https://svn.redmine.org/redmine/branches/4.2-stable@21896 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 lib/redmine/wiki_formatting/textile/redcloth3.rb           | 2 +-
 .../lib/redmine/wiki_formatting/textile_formatter_test.rb  | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb
index 2816e1c90..347743105 100644
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -690,7 +690,7 @@ class RedCloth3 < String
 
     def textile_bq( tag, atts, cite, content )
         cite, cite_title = check_refs( cite )
-        cite = " cite=\"#{cite}\"" if cite
+        cite = " cite=\"#{htmlesc cite.dup}\"" if cite
         atts = shelve( atts ) if atts
         "\t<blockquote#{cite}>\n\t\t<p#{atts}>#{content}</p>\n\t</blockquote>"
     end
diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
index 5ee4defe1..28a3d92ab 100644
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -703,6 +703,13 @@ class Redmine::WikiFormatting::TextileFormatterTest < ActionView::TestCase
     assert_equal expected.gsub(%r{[\r\n\t]}, ''), to_html(text).gsub(%r{[\r\n\t]}, '')
   end
 
+  def test_should_escape_bq_citations
+    assert_html_output({
+      %{bq.:http://x/"onmouseover="alert(document.domain) Hover me} =>
+        %{<blockquote cite="http://x/&quot;onmouseover=&quot;alert(document.domain)">\n\t\t<p>Hover me</p>\n\t</blockquote>}
+    }, false)
+  end
+
   private
 
   def assert_html_output(to_test, expect_paragraph = true)
-- 
2.39.5