From 587fd2fbc6261d8cae76c2cd6be58e83232f86c1 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Thu, 22 Jan 2026 18:12:19 +0000
Subject: [PATCH] Sanitize name in user auto complete (#43691).

git-svn-id: https://svn.redmine.org/redmine/trunk@24342 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/assets/javascripts/application-legacy.js |  2 +-
 test/system/inline_autocomplete_test.rb      | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/application-legacy.js b/app/assets/javascripts/application-legacy.js
index 6bd315721..3294615a9 100644
--- a/app/assets/javascripts/application-legacy.js
+++ b/app/assets/javascripts/application-legacy.js
@@ -1348,7 +1348,7 @@ function inlineAutoComplete(element) {
             }
           },
           menuItemTemplate: function (user) {
-            return user.original.name;
+            return sanitizeHTML(user.original.name);
           },
           selectTemplate: function (user) {
             return '@' + user.original.login;
diff --git a/test/system/inline_autocomplete_test.rb b/test/system/inline_autocomplete_test.rb
index 9bd5ac25c..9b5e11278 100644
--- a/test/system/inline_autocomplete_test.rb
+++ b/test/system/inline_autocomplete_test.rb
@@ -237,4 +237,20 @@ class InlineAutocompleteSystemTest < ApplicationSystemTestCase
 
     assert_equal '@jsmith ', find('#issue_notes').value
   end
+
+  def test_inline_autocomplete_for_users_should_escape_html_elements
+    user = User.find(2)
+    user.update!(firstname: 'My <select>')
+
+    log_user(user.login, 'jsmith')
+    visit '/issues/1/edit'
+
+    find('#issue_notes').click
+    fill_in 'issue[notes]', :with => '@My'
+
+    assert_selector '.tribute-container li', count: 1
+    within('.tribute-container') do
+      assert page.has_text? 'My <select> Smith'
+    end
+  end
 end