Escaping the `object_link_text` on cross project milestone references

2 files changed, 7 insertions, 1 deletions

diff --git a/lib/banzai/filter/milestone_reference_filter.rb b/lib/banzai/filter/milestone_reference_filter.rb
index 556087c4880..aea1abf3b8e 100644
--- a/lib/banzai/filter/milestone_reference_filter.rb
+++ b/lib/banzai/filter/milestone_reference_filter.rb
@@ -39,7 +39,7 @@ module Banzai
         if context[:project] == object.project
           super
         else
-          "#{super} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
+          "#{escape_once(super)} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
             html_safe
         end
       end
diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
index 26f87286b2c..ac3e6e4e536 100644
--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@@ -176,5 +176,11 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
     it 'contains cross project content' do
       expect(result.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
     end
+
+    it 'escapes the name attribute' do
+      allow_any_instance_of(Milestone).to receive(:title).and_return(%{"></a>whatever<a title="})
+      doc = reference_filter("See #{reference}")
+      expect(doc.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
+    end
   end
 end