Version in base suite: 6.0.28+ds1-2
Version in overlay suite: 6.0.28+ds1-2+deb12u1

Base version: tryton-sao_6.0.28+ds1-2+deb12u1
Target version: tryton-sao_6.0.28+ds1-2+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tryton-sao/tryton-sao_6.0.28+ds1-2+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tryton-sao/tryton-sao_6.0.28+ds1-2+deb12u2.dsc

 changelog                                  |   11 +++++++++++
 patches/02_escape_completion_content.patch |   18 ++++++++++++++++++
 patches/series                             |    1 +
 3 files changed, 30 insertions(+)

diff -Nru tryton-sao-6.0.28+ds1/debian/changelog tryton-sao-6.0.28+ds1/debian/changelog
--- tryton-sao-6.0.28+ds1/debian/changelog	2025-10-21 10:54:14.000000000 +0000
+++ tryton-sao-6.0.28+ds1/debian/changelog	2025-11-24 19:51:45.000000000 +0000
@@ -1,3 +1,14 @@
+tryton-sao (6.0.28+ds1-2+deb12u2) bookworm-security; urgency=high
+
+  * Add 02_escape_completion_content.patch
+    Patch for security issue:
+    https://foss.heptapod.net/tryton/tryton/-/issues/14363
+    Stored XSS Vulnerability Found in Party Field Leading to Arbitrary
+    JavaScript Execution
+    S.a. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121233
+
+ -- Mathias Behrle <mathiasb@m9s.biz>  Mon, 24 Nov 2025 20:51:45 +0100
+
 tryton-sao (6.0.28+ds1-2+deb12u1) bookworm-security; urgency=high
 
   * Add 01_xss_vulnerability_attachments_preview.patch.
diff -Nru tryton-sao-6.0.28+ds1/debian/patches/02_escape_completion_content.patch tryton-sao-6.0.28+ds1/debian/patches/02_escape_completion_content.patch
--- tryton-sao-6.0.28+ds1/debian/patches/02_escape_completion_content.patch	1970-01-01 00:00:00.000000000 +0000
+++ tryton-sao-6.0.28+ds1/debian/patches/02_escape_completion_content.patch	2025-11-24 19:46:34.000000000 +0000
@@ -0,0 +1,18 @@
+--- a/src/common.js
++++ b/src/common.js
+@@ -3587,9 +3587,13 @@
+         },
+         _format: function(content) {
+             if (this.format) {
+-                return this.format(content);
++                content = this.format(content);
++            }
++            if (content instanceof jQuery) {
++                return content;
++            } else {
++                return jQuery('<span/>').text(content);
+             }
+-            return jQuery('<span/>').text(content);
+         },
+         _format_action: function(content) {
+             if (this.format_action) {
diff -Nru tryton-sao-6.0.28+ds1/debian/patches/series tryton-sao-6.0.28+ds1/debian/patches/series
--- tryton-sao-6.0.28+ds1/debian/patches/series	2025-10-21 09:57:27.000000000 +0000
+++ tryton-sao-6.0.28+ds1/debian/patches/series	2025-11-24 19:47:45.000000000 +0000
@@ -1 +1,2 @@
 01_xss_vulnerability_attachments_preview.patch
+02_escape_completion_content.patch