From 7cad4d295dca4eae1bc94891f2c2596b0c3cf702 Mon Sep 17 00:00:00 2001
From: Alexander Brandon Coles <a.coles@openproject.com>
Date: Wed, 5 Nov 2025 12:53:16 +0000
Subject: [PATCH] Ensure csp_onclick escapes selector

---
 app/helpers/removed_js_helpers_helper.rb       |  2 +-
 spec/helpers/removed_js_helpers_helper_spec.rb | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/app/helpers/removed_js_helpers_helper.rb b/app/helpers/removed_js_helpers_helper.rb
index 874e404a518..65d2ac23503 100644
--- a/app/helpers/removed_js_helpers_helper.rb
+++ b/app/helpers/removed_js_helpers_helper.rb
@@ -46,7 +46,7 @@ module RemovedJsHelpersHelper
   def csp_onclick(callback_str, selector, prevent_default: true)
     content_for(:additional_js_dom_ready) do
       raw <<~JS # rubocop:disable Rails/OutputSafety
-        document.querySelector('#{selector}')?.addEventListener('click', function(event) {
+        document.querySelector('#{j(selector)}')?.addEventListener('click', function(event) {
           #{callback_str&.delete_suffix(';')};#{"\n  event.preventDefault();" if prevent_default}
         });
       JS
diff --git a/spec/helpers/removed_js_helpers_helper_spec.rb b/spec/helpers/removed_js_helpers_helper_spec.rb
index 8dee6d8d884..0df1f3be265 100644
--- a/spec/helpers/removed_js_helpers_helper_spec.rb
+++ b/spec/helpers/removed_js_helpers_helper_spec.rb
@@ -69,5 +69,16 @@ RSpec.describe RemovedJsHelpersHelper do
         });
       JS
     end
+
+    it "escapes selector" do
+      helper.csp_onclick("console.log('hello');", "[data-attr^='foo']")
+
+      expect(helper.content_for(:additional_js_dom_ready)).to eq(<<~JS)
+        document.querySelector('[data-attr^=\\'foo\\']')?.addEventListener('click', function(event) {
+          console.log('hello');
+          event.preventDefault();
+        });
+      JS
+    end
   end
 end