Sanitize name in user auto complete (#43691).

git-svn-id: https://svn.redmine.org/redmine/trunk@24342 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/assets/javascripts/application-legacy.js

@@ -1348,7 +1348,7 @@ function inlineAutoComplete(element) {
             }
           },
           menuItemTemplate: function (user) {
-            return user.original.name;
+            return sanitizeHTML(user.original.name);
           },
           selectTemplate: function (user) {
             return '@' + user.original.login;

test/system/inline_autocomplete_test.rb

@@ -237,4 +237,20 @@ class InlineAutocompleteSystemTest < ApplicationSystemTestCase
 
     assert_equal '@jsmith ', find('#issue_notes').value
   end
+
+  def test_inline_autocomplete_for_users_should_escape_html_elements
+    user = User.find(2)
+    user.update!(firstname: 'My <select>')
+
+    log_user(user.login, 'jsmith')
+    visit '/issues/1/edit'
+
+    find('#issue_notes').click
+    fill_in 'issue[notes]', :with => '@My'
+
+    assert_selector '.tribute-container li', count: 1
+    within('.tribute-container') do
+      assert page.has_text? 'My <select> Smith'
+    end
+  end
 end