From bc1a76488d0f3866cccd0ecafab4379131b3b3d4 Mon Sep 17 00:00:00 2001
From: Andrew Hunt <andrew@aghstrategies.com>
Date: Mon, 11 May 2020 10:07:13 -0400
Subject: [PATCH] CRM.utils.formatConditionalIcon: Escape html characters in
 alt text

---
 js/Common.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/js/Common.js b/js/Common.js
index af35e7df80..95aa331718 100644
--- a/js/Common.js
+++ b/js/Common.js
@@ -417,6 +417,7 @@ if (!CRM.vars) CRM.vars = {};
     var title = '';
     var sr = '';
     if (text) {
+      text = _.escape(text);
       title = ' title="' + text + '"';
       sr = '<span class="sr-only">' + text + '</span>';
     }
-- 
2.25.1