Ensure that values of multi-value fields are HTML-escaped in issue history (#27186).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@16985 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-19 15:01:14 +00:00 · 2017-10-15 11:09:43 +00:00 · 2017-10-15 11:09:43 +00:00 · 94f7cfbf99
commit 94f7cfbf99
parent 56c8ee0440
1 changed files with 2 additions and 1 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -177,7 +177,8 @@ module ApplicationHelper
    end
    case object.class.name
    when 'Array'
-      object.map {|o| format_object(o, html)}.join(', ').html_safe
+      formatted_objects = object.map {|o| format_object(o, html)}
+      html ? safe_join(formatted_objects, ', ') : formatted_objects.join(', ')
    when 'Time'
      format_time(object)
    when 'Date'