Fix that inline issue auto complete does not sanitize HTML tags (#33846).

Patch by Marius BALTEANU.


git-svn-id: http://svn.redmine.org/redmine/trunk@20827 e93f8b46-1217-0410-a6f0-8f06a7374b81

public/javascripts/application.js

@@ -1,6 +1,12 @@
 /* Redmine - project management software
    Copyright (C) 2006-2020  Jean-Philippe Lang */
 
+function sanitizeHTML(string) {
+  var temp = document.createElement('span');
+  temp.textContent = string;
+  return temp.innerHTML;
+}
+
 function checkAll(id, checked) {
   $('#'+id).find('input[type=checkbox]:enabled').prop('checked', checked);
 }
@@ -1161,6 +1167,9 @@ function inlineAutoComplete(element) {
           selectTemplate: function (issue) {
             return '#' + issue.original.id;
           },
+          menuItemTemplate: function (issue) {
+            return sanitizeHTML(issue.original.label);
+          },
           noMatchTemplate: function () {
             return '<span style:"visibility: hidden;"></span>';
           }