Fixed option text encoding

kevin-brown · kevin-brown · commit 0da15aa58621 · 2015-03-11T18:12:14.000-04:00
This fixes an issue when using a `<select>` where the elements were created with XHTML-encoded characters to prevent any injection, as they would be double-encoded and display incorrectly. When using a `<select>`, we can assume that the data has already been encoded because any XSS will have already run before we get to it. Because of this, we can just use `.text()` instead of `.html()` to avoid any issues. This also includes a test to ensure that this does not become an issue in the future. This closes select2#3115.
diff --git a/dist/js/select2.amd.full.js b/dist/js/select2.amd.full.js
@@ -2563,7 +2563,7 @@ define('select2/data/select',[
     if ($option.is('option')) {
       data = {
         id: $option.val(),
-        text: $option.html(),
+        text: $option.text(),
         disabled: $option.prop('disabled'),
         selected: $option.prop('selected'),
         title: $option.prop('title')
diff --git a/dist/js/select2.amd.js b/dist/js/select2.amd.js
@@ -2563,7 +2563,7 @@ define('select2/data/select',[
     if ($option.is('option')) {
       data = {
         id: $option.val(),
-        text: $option.html(),
+        text: $option.text(),
         disabled: $option.prop('disabled'),
         selected: $option.prop('selected'),
         title: $option.prop('title')
diff --git a/dist/js/select2.full.js b/dist/js/select2.full.js
@@ -3002,7 +3002,7 @@ define('select2/data/select',[
     if ($option.is('option')) {
       data = {
         id: $option.val(),
-        text: $option.html(),
+        text: $option.text(),
         disabled: $option.prop('disabled'),
         selected: $option.prop('selected'),
         title: $option.prop('title')
diff --git a/dist/js/select2.full.min.js b/dist/js/select2.full.min.js
diff --git a/dist/js/select2.js b/dist/js/select2.js
@@ -3002,7 +3002,7 @@ define('select2/data/select',[
     if ($option.is('option')) {
       data = {
         id: $option.val(),
-        text: $option.html(),
+        text: $option.text(),
         disabled: $option.prop('disabled'),
         selected: $option.prop('selected'),
         title: $option.prop('title')
diff --git a/dist/js/select2.min.js b/dist/js/select2.min.js
diff --git a/src/js/select2/data/select.js b/src/js/select2/data/select.js
@@ -205,7 +205,7 @@ define([
     if ($option.is('option')) {
       data = {
         id: $option.val(),
-        text: $option.html(),
+        text: $option.text(),
         disabled: $option.prop('disabled'),
         selected: $option.prop('selected'),
         title: $option.prop('title')
diff --git a/tests/data/select-tests.js b/tests/data/select-tests.js
@@ -439,3 +439,16 @@ test('multiple options with the same value are returned', function (assert) {
     );
   });
 });
+
+test('data objects use the text of the option', function (assert) {
+  var $select = $('#qunit-fixture .duplicates');
+
+  var data = new SelectData($select, options);
+
+  var $option = $('<option>&amp;</option>');
+
+  var item = data.item($option);
+
+  assert.equal(item.id, '&');
+  assert.equal(item.text, '&');
+});
