From 52078b5d764b867c643728ed5839a2cfbd9c5a2c Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 4 Jan 2023 15:41:54 +0000 Subject: [PATCH] Escape each portion of a semicolon seprated value individually Fixes #3872 --- app/helpers/browse_tags_helper.rb | 2 +- test/helpers/browse_tags_helper_test.rb | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/app/helpers/browse_tags_helper.rb b/app/helpers/browse_tags_helper.rb index c6aeb8c54..18598e88d 100644 --- a/app/helpers/browse_tags_helper.rb +++ b/app/helpers/browse_tags_helper.rb @@ -32,7 +32,7 @@ module BrowseTagsHelper elsif colour_value = colour_preview(key, value) tag.span("", :class => "colour-preview-box", :"data-colour" => colour_value, :title => t("browse.tag_details.colour_preview", :colour_value => colour_value)) + colour_value else - safe_join(h(value).split(";").map { |x| linkify(x) }, ";") + safe_join(value.split(";").map { |x| linkify(h(x)) }, ";") end end diff --git a/test/helpers/browse_tags_helper_test.rb b/test/helpers/browse_tags_helper_test.rb index 2329a7c96..a0e2e8fab 100644 --- a/test/helpers/browse_tags_helper_test.rb +++ b/test/helpers/browse_tags_helper_test.rb @@ -22,6 +22,9 @@ class BrowseTagsHelperTest < ActionView::TestCase html = format_value("unknown", "unknown") assert_dom_equal "unknown", html + html = format_value("addr:street", "Rue de l'Amigo") + assert_dom_equal "Rue de l'Amigo", html + html = format_value("phone", "+1234567890") assert_dom_equal "+1234567890", html -- 2.39.5