Merge r21986 from trunk to 5.0-stable (#37755).

git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21988 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 11 insertions, 1 deletions

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 3bb8a602d..5c5cf39a5 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -60,7 +60,7 @@ module ApplicationHelper
     case principal
     when User
       name = h(principal.name(options[:format]))
-      name = "@" + name if options[:mention]
+      name = "@".html_safe + name if options[:mention]
       css_classes = ''
       if principal.active? || (User.current.admin? && principal.logged?)
         url = user_url(principal, :only_path => only_path)
diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb
index 452892e8b..c68f7495c 100644
--- a/test/helpers/application_helper_test.rb
+++ b/test/helpers/application_helper_test.rb
@@ -1841,6 +1841,16 @@ class ApplicationHelperTest < Redmine::HelperTest
     assert_equal result, link_to_principal(unknown_principal, :class => 'bar')
   end
 
+  def test_link_to_principal_should_escape_principal_name
+    user = User.generate!(firstname: "firstname<>'", lastname: 'lastname&"')
+    group = Group.generate!(lastname: "group<>'&")
+
+    assert_include "firstname&lt;&gt;&#39; lastname&amp;&quot;", link_to_principal(user)
+    assert_include "@firstname&lt;&gt;&#39; lastname&amp;&quot;", link_to_principal(user, { mention: true })
+    assert_include "group&lt;&gt;&#39;&amp;", link_to_principal(group)
+    assert_include "&lt;&gt;&#39;&amp;", link_to_principal("<>'&")
+  end
+
   def test_link_to_group_should_return_only_group_name_for_non_admin_users
     User.current = nil
     group = Group.find(10)