From 1a0976417975a128b0a932ba1552c37e9414953b Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 15 Oct 2017 11:06:20 +0000
Subject: Don't use raw output in timelog (#27186).

git-svn-id: http://svn.redmine.org/redmine/trunk@16983 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/views/timelog/_list.html.erb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/views/timelog/_list.html.erb b/app/views/timelog/_list.html.erb
index 21115dfde..6f126b0f7 100644
--- a/app/views/timelog/_list.html.erb
+++ b/app/views/timelog/_list.html.erb
@@ -33,7 +33,9 @@
   <% end %>
   <tr id="time-entry-<%= entry.id %>" class="time-entry <%= cycle("odd", "even") %> hascontextmenu">
     <td class="checkbox hide-when-print"><%= check_box_tag("ids[]", entry.id, false, :id => nil) %></td>
-    <%= raw @query.inline_columns.map {|column| "<td class=\"#{column.css_classes}\">#{column_content(column, entry)}</td>"}.join %>
+    <% @query.inline_columns.each do |column| %>
+    <%= content_tag('td', column_content(column, entry), :class => column.css_classes) %>
+    <% end %>
     <td class="buttons">
     <% if entry.editable_by?(User.current) -%>
         <%= link_to l(:button_edit), edit_time_entry_path(entry),
-- 
cgit v1.2.3