Ensures data-disable-with attribute is properly escaped when uery links are rendered (#42238).

Patch by Holger Just (user:hjust). git-svn-id: https://svn.redmine.org/redmine/trunk@23522 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-01-31 11:37:14 +00:00 · 2025-03-07 07:39:18 +00:00 · 2025-03-07 07:39:18 +00:00 · e9ba222e6b
commit e9ba222e6b
parent 028125e0f1
1 changed files with 1 additions and 1 deletions
--- a/app/helpers/queries_helper.rb
+++ b/app/helpers/queries_helper.rb
@ -510,7 +510,7 @@ module QueriesHelper
                              url_params.merge(:query_id => query),
                              :class => css,
                              :title => query.description,
-                              :data => { :disable_with => query.name }) +
+                              :data => { :disable_with => CGI.escapeHTML(query.name) }) +
                        clear_link.html_safe)
        end.join("\n").html_safe,
        :class => 'queries'