From c8f8a0dc7bea739220203b5d06247a976525ca24 Mon Sep 17 00:00:00 2001
From: Sarken <sarken@gmail.com>
Date: Thu, 5 Oct 2023 23:29:08 -0400
Subject: [PATCH] AO3-6618 Escape characters on bookmark fields fetched with
 JavaScript

---
 app/views/external_works/fetch.js.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/views/external_works/fetch.js.erb b/app/views/external_works/fetch.js.erb
index 2e3ca855796..cb20f7911cb 100644
--- a/app/views/external_works/fetch.js.erb
+++ b/app/views/external_works/fetch.js.erb
@@ -1,6 +1,6 @@
 <% unless @external_work.blank? %>
-  $j('#external_work_author').val("<%= @external_work.author %>").change();
-  $j('#external_work_title').val("<%= @external_work.title %>").change();
+  $j('#external_work_author').val("<%= escape_javascript(@external_work.author.html_safe) %>").change();
+  $j('#external_work_title').val("<%= escape_javascript(@external_work.title) %>").change();
   $j('#external_work_summary').val("<%= escape_javascript(@external_work.summary&.html_safe) %>").change();
   $j('#fetched').val("<%= @external_work.id %>");
   $j('#external_work_rating_string').val("<%= @external_work.rating_string %>");