From: Tom Hughes <tom@compton.nu>
Date: Wed, 4 Jan 2023 15:41:54 +0000 (+0000)
Subject: Escape each portion of a semicolon seprated value individually
X-Git-Tag: live~1399
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/52078b5d764b867c643728ed5839a2cfbd9c5a2c

Escape each portion of a semicolon seprated value individually

Fixes #3872
---

diff --git a/app/helpers/browse_tags_helper.rb b/app/helpers/browse_tags_helper.rb
index c6aeb8c54..18598e88d 100644
--- a/app/helpers/browse_tags_helper.rb
+++ b/app/helpers/browse_tags_helper.rb
@@ -32,7 +32,7 @@ module BrowseTagsHelper
     elsif colour_value = colour_preview(key, value)
       tag.span("", :class => "colour-preview-box", :"data-colour" => colour_value, :title => t("browse.tag_details.colour_preview", :colour_value => colour_value)) + colour_value
     else
-      safe_join(h(value).split(";").map { |x| linkify(x) }, ";")
+      safe_join(value.split(";").map { |x| linkify(h(x)) }, ";")
     end
   end
 
diff --git a/test/helpers/browse_tags_helper_test.rb b/test/helpers/browse_tags_helper_test.rb
index 2329a7c96..a0e2e8fab 100644
--- a/test/helpers/browse_tags_helper_test.rb
+++ b/test/helpers/browse_tags_helper_test.rb
@@ -22,6 +22,9 @@ class BrowseTagsHelperTest < ActionView::TestCase
     html = format_value("unknown", "unknown")
     assert_dom_equal "unknown", html
 
+    html = format_value("addr:street", "Rue de l'Amigo")
+    assert_dom_equal "Rue de l&#39;Amigo", html
+
     html = format_value("phone", "+1234567890")
     assert_dom_equal "<a href=\"tel:+1234567890\" title=\"Call +1234567890\">+1234567890</a>", html