diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2017-10-15 11:09:43 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2017-10-15 11:09:43 +0000 |
| commit | 94f7cfbf990028348b9262578acbc53a94fce448 (patch) | |
| tree | 4147958a4239e83017d688afa167126012030207 /app | |
| parent | 56c8ee0440d8555aa7822d947ba9091c8a791508 (diff) | |
| download | redmine-94f7cfbf990028348b9262578acbc53a94fce448.tar.gz redmine-94f7cfbf990028348b9262578acbc53a94fce448.zip | |
Ensure that values of multi-value fields are HTML-escaped in issue history (#27186).
Patch by Holger Just.
git-svn-id: http://svn.redmine.org/redmine/trunk@16985 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app')
| -rw-r--r-- | app/helpers/application_helper.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index cb0c27715..ef229f955 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -177,7 +177,8 @@ module ApplicationHelper end case object.class.name when 'Array' - object.map {|o| format_object(o, html)}.join(', ').html_safe + formatted_objects = object.map {|o| format_object(o, html)} + html ? safe_join(formatted_objects, ', ') : formatted_objects.join(', ') when 'Time' format_time(object) when 'Date' |