From e9bdd218fa2da218487b7171428241fa559e9c28 Mon Sep 17 00:00:00 2001
From: sboursen-scinote <soufiane@scinote.net>
Date: Fri, 10 Mar 2023 09:46:45 +0100
Subject: [PATCH] Sanitize te user_names_with_roles [SCI-8007]

---
 app/helpers/projects_helper.rb                 | 3 ++-
 app/views/protocols/index/_users_list.html.erb | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 1fb5f6432..2d5ca1ba7 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -14,7 +14,8 @@ module ProjectsHelper
   end
 
   def user_names_with_roles(user_assignments)
-    user_assignments.map { |up| user_name_with_role(up) }.join('&#013;')
+    names_with_roles = user_assignments.map { |up| user_name_with_role(up) }.join('&#013;')
+    sanitize_input(names_with_roles)
   end
 
   def user_name_with_role(user_assignment)
diff --git a/app/views/protocols/index/_users_list.html.erb b/app/views/protocols/index/_users_list.html.erb
index fe4465956..5db1d1544 100644
--- a/app/views/protocols/index/_users_list.html.erb
+++ b/app/views/protocols/index/_users_list.html.erb
@@ -6,7 +6,7 @@
 
 <% more_users = protocol.user_assignments[3..-1].to_a %>
 <% if more_users.any? %>
-  <span class="more-users" title="<%== user_names_with_roles(more_users) %>">
+  <span class="more-users" title="<%= user_names_with_roles(more_users) %>">
      +<%= more_users.size %>
   </span>
 <% end %>