Context-sensitive XSS bugfix.

Author: Antonin Steinhauser

app/helpers/tags_helper.rb

@@ -17,7 +17,7 @@ def tags_for_index(model)
       elsif !query.include?(hashtag)
         query += " #{hashtag}"
       end
-      out << link_to_function(tag, "crm.search_tagged('#{query}', '#{model.class.to_s.tableize}')", title: tag)
+      out << link_to_function(tag, "crm.search_tagged('#{escape_javascript(query)}', '#{model.class.to_s.tableize}')", title: tag)
     end
   end