From 1c0bdc0410154d1d930a3d98b7d018ca1c1673d1 Mon Sep 17 00:00:00 2001
From: Amos Benari <abenari@redhat.com>
Date: Mon, 28 Apr 2014 16:51:54 +0300
Subject: [PATCH] fixes #5471 html escape auto-completer values.

---
 app/controllers/concerns/foreman/controller/auto_complete_search.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/concerns/foreman/controller/auto_complete_search.rb b/app/controllers/concerns/foreman/controller/auto_complete_search.rb
index eca8e14..8579c5c 100644
--- a/app/controllers/concerns/foreman/controller/auto_complete_search.rb
+++ b/app/controllers/concerns/foreman/controller/auto_complete_search.rb
@@ -6,10 +6,10 @@ module Foreman::Controller::AutoCompleteSearch
       model = controller_name == "hosts" ? Host::Managed : model_of_controller
       @items = model.complete_for(params[:search])
       @items = @items.map do |item|
-        category = (['and','or','not','has'].include?(item.to_s.sub(/^.*\s+/,''))) ? 'Operators' : ''
+        category = (['and','or','not','has'].include?(item.to_s.sub(/^.*\s+/,''))) ? _('Operators') : ''
         part = item.to_s.sub(/^.*\b(and|or)\b/i) {|match| match.sub(/^.*\s+/,'')}
         completed = item.to_s.chomp(part)
-        {:completed => completed, :part => part, :label => item, :category => category}
+        {:completed => CGI::escapeHTML(completed), :part => CGI::escapeHTML(part), :label => item, :category => category}
       end
     rescue ScopedSearch::QueryNotSupported => e
       @items = [{:error =>e.to_s}]
-- 
1.9.0