From d97bebd0e0e3097b2f529c6ffbe7ba8139f9e4d0 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Fri, 23 Jan 2026 03:40:53 +0000
Subject: [PATCH] Merge r24342 from trunk to 6.1-stable (#43691).

git-svn-id: https://svn.redmine.org/redmine/branches/6.1-stable@24353 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/assets/javascripts/application-legacy.js |  2 +-
 test/system/inline_autocomplete_test.rb      | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/application-legacy.js b/app/assets/javascripts/application-legacy.js
index d73fe440b..8c99876b8 100644
--- a/app/assets/javascripts/application-legacy.js
+++ b/app/assets/javascripts/application-legacy.js
@@ -1348,7 +1348,7 @@ function inlineAutoComplete(element) {
             }
           },
           menuItemTemplate: function (user) {
-            return user.original.name;
+            return sanitizeHTML(user.original.name);
           },
           selectTemplate: function (user) {
             return '@' + user.original.login;
diff --git a/test/system/inline_autocomplete_test.rb b/test/system/inline_autocomplete_test.rb
index 9bd5ac25c..9b5e11278 100644
--- a/test/system/inline_autocomplete_test.rb
+++ b/test/system/inline_autocomplete_test.rb
@@ -237,4 +237,20 @@ class InlineAutocompleteSystemTest < ApplicationSystemTestCase
 
     assert_equal '@jsmith ', find('#issue_notes').value
   end
+
+  def test_inline_autocomplete_for_users_should_escape_html_elements
+    user = User.find(2)
+    user.update!(firstname: 'My <select>')
+
+    log_user(user.login, 'jsmith')
+    visit '/issues/1/edit'
+
+    find('#issue_notes').click
+    fill_in 'issue[notes]', :with => '@My'
+
+    assert_selector '.tribute-container li', count: 1
+    within('.tribute-container') do
+      assert page.has_text? 'My <select> Smith'
+    end
+  end
 end