From e9ba222e6b5e7ac29122e8f035de474a81534ec0 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Fri, 7 Mar 2025 07:39:18 +0000
Subject: [PATCH] Ensures data-disable-with attribute is properly escaped when
 uery links are rendered (#42238).

Patch by Holger Just (user:hjust).


git-svn-id: https://svn.redmine.org/redmine/trunk@23522 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/helpers/queries_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb
index 708a8acfb..5e6d91a41 100644
--- a/app/helpers/queries_helper.rb
+++ b/app/helpers/queries_helper.rb
@@ -510,7 +510,7 @@ module QueriesHelper
                               url_params.merge(:query_id => query),
                               :class => css,
                               :title => query.description,
-                              :data => { :disable_with => query.name }) +
+                              :data => { :disable_with => CGI.escapeHTML(query.name) }) +
                         clear_link.html_safe)
         end.join("\n").html_safe,
         :class => 'queries'