From 86d92508cb3eeb65a3b97548d2fd4e1ea5960666 Mon Sep 17 00:00:00 2001
From: bugbug11111 <quinn.k.2500@gmail.com>
Date: Tue, 5 May 2026 12:07:04 +0200
Subject: [PATCH] fix(accounts): sanitize activity entry names for highlighting

* Updated the `highlight_activity_entry_name` method to escape HTML in activity entry names before highlighting. This change prevents potential XSS vulnerabilities and ensures safe rendering of user-generated content.
---
 app/helpers/accounts_helper.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/helpers/accounts_helper.rb b/app/helpers/accounts_helper.rb
index 90966cec9..302902f39 100644
--- a/app/helpers/accounts_helper.rb
+++ b/app/helpers/accounts_helper.rb
@@ -15,6 +15,7 @@ module AccountsHelper
     search = query.to_s.strip
     return name if search.blank?
 
-    highlight(name, search, highlighter: ACTIVITY_HIGHLIGHT_MARKUP)
+    escaped_name = ERB::Util.html_escape(name.to_s)
+    highlight(escaped_name, search, highlighter: ACTIVITY_HIGHLIGHT_MARKUP, sanitize: false)
   end
 end