From 4399b6076b08dce2e65a5ebbc3025d95c2da059a Mon Sep 17 00:00:00 2001
From: Brett Smith <brett@curoverse.com>
Date: Tue, 20 May 2014 15:34:07 -0400
Subject: [PATCH] 2753: HTML-escape provided button text.

---
 apps/workbench/app/helpers/application_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/workbench/app/helpers/application_helper.rb b/apps/workbench/app/helpers/application_helper.rb
index f363fb4047..720173cc45 100644
--- a/apps/workbench/app/helpers/application_helper.rb
+++ b/apps/workbench/app/helpers/application_helper.rb
@@ -290,7 +290,7 @@ module ApplicationHelper
     params[:class] ||= 'btn btn-xs btn-default'
     list[0...show_max].each { |item| yield item }
     unless list[show_max].nil?
-      link_to(button_text +
+      link_to(h(button_text) +
               raw(' &nbsp; <i class="fa fa-fw fa-arrow-circle-right"></i>'),
               button_href, params, *rest)
     end
-- 
2.30.2