From 6c06b7fdfa229a59627ed7ede6ffb6a4a8602efa Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Fri, 23 Jan 2026 03:43:34 +0000
Subject: [PATCH] Merge r24343 from trunk to 6.1-stable (#43694).

git-svn-id: https://svn.redmine.org/redmine/branches/6.1-stable@24354 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/assets/javascripts/application-legacy.js |  2 +-
 test/system/query_test.rb                    | 33 ++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 test/system/query_test.rb

diff --git a/app/assets/javascripts/application-legacy.js b/app/assets/javascripts/application-legacy.js
index 8c99876b8..bc9835c7a 100644
--- a/app/assets/javascripts/application-legacy.js
+++ b/app/assets/javascripts/application-legacy.js
@@ -207,7 +207,7 @@ function buildFilterRow(field, operator, values) {
   var select;
 
   var tr = $('<div class="filter">').attr('id', 'tr_'+fieldId).html(
-    '<div class="field"><input checked="checked" id="cb_'+fieldId+'" name="f[]" value="'+field+'" type="checkbox"><label for="cb_'+fieldId+'"> '+filterOptions['name']+'</label></div>' +
+    '<div class="field"><input checked="checked" id="cb_'+fieldId+'" name="f[]" value="'+field+'" type="checkbox"><label for="cb_'+fieldId+'"> '+sanitizeHTML(filterOptions['name'])+'</label></div>' +
     '<div class="operator"><select id="operators_'+fieldId+'" name="op['+field+']"></select></div>' +
     '<div class="values"></div>'
   );
diff --git a/test/system/query_test.rb b/test/system/query_test.rb
new file mode 100644
index 000000000..aaa0a3ff5
--- /dev/null
+++ b/test/system/query_test.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# Redmine - project management software
+# Copyright (C) 2006-  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require_relative '../application_system_test_case'
+
+class QuerySystemTest < ApplicationSystemTestCase
+  def test_query_filter_row_should_escape_html_elements
+    cf = IssueCustomField.create!(name: 'My <select>', field_format: 'string', is_filter: true)
+
+    log_user('jsmith', 'jsmith')
+    visit '/issues'
+    # click_on 'Add filter'
+    select 'My <select>', from: 'Add filter'
+
+    assert_selector "div#tr_cf_#{cf.id} label", text: 'My <select>'
+  end
+end