Version in base suite: 7.0.28+ds1-1+deb13u1

Base version: tryton-sao_7.0.28+ds1-1+deb13u1
Target version: tryton-sao_7.0.28+ds1-1+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tryton-sao/tryton-sao_7.0.28+ds1-1+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tryton-sao/tryton-sao_7.0.28+ds1-1+deb13u2.dsc

 changelog                                  |   11 +++++++++++
 patches/02_escape_completion_content.patch |   18 ++++++++++++++++++
 patches/series                             |    1 +
 3 files changed, 30 insertions(+)

diff -Nru tryton-sao-7.0.28+ds1/debian/changelog tryton-sao-7.0.28+ds1/debian/changelog
--- tryton-sao-7.0.28+ds1/debian/changelog	2025-10-21 11:12:38.000000000 +0000
+++ tryton-sao-7.0.28+ds1/debian/changelog	2025-11-24 19:27:26.000000000 +0000
@@ -1,3 +1,14 @@
+tryton-sao (7.0.28+ds1-1+deb13u2) trixie-security; urgency=high
+
+  * Add 02_escape_completion_content.patch.
+    Patch for security issue:
+    https://foss.heptapod.net/tryton/tryton/-/issues/14363
+    Stored XSS Vulnerability Found in Party Field Leading to Arbitrary
+    JavaScript Execution
+    S.a. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121233
+
+ -- Mathias Behrle <mathiasb@m9s.biz>  Mon, 24 Nov 2025 20:27:26 +0100
+
 tryton-sao (7.0.28+ds1-1+deb13u1) trixie-security; urgency=high
 
   * Add 01_xss_vulnerability_attachments_preview.patch.
diff -Nru tryton-sao-7.0.28+ds1/debian/patches/02_escape_completion_content.patch tryton-sao-7.0.28+ds1/debian/patches/02_escape_completion_content.patch
--- tryton-sao-7.0.28+ds1/debian/patches/02_escape_completion_content.patch	1970-01-01 00:00:00.000000000 +0000
+++ tryton-sao-7.0.28+ds1/debian/patches/02_escape_completion_content.patch	2025-11-24 19:20:24.000000000 +0000
@@ -0,0 +1,18 @@
+--- a/src/common.js
++++ b/src/common.js
+@@ -3809,9 +3809,13 @@
+         },
+         _format: function(content) {
+             if (this.format) {
+-                return this.format(content);
++                content = this.format(content);
++            }
++            if (content instanceof jQuery) {
++                return content;
++            } else {
++                return jQuery('<span/>').text(content);
+             }
+-            return jQuery('<span/>').text(content);
+         },
+         _format_action: function(content) {
+             if (this.format_action) {
diff -Nru tryton-sao-7.0.28+ds1/debian/patches/series tryton-sao-7.0.28+ds1/debian/patches/series
--- tryton-sao-7.0.28+ds1/debian/patches/series	2025-10-21 11:07:16.000000000 +0000
+++ tryton-sao-7.0.28+ds1/debian/patches/series	2025-11-24 19:19:30.000000000 +0000
@@ -1 +1,2 @@
 01_xss_vulnerability_attachments_preview.patch
+02_escape_completion_content.patch