@@ -263,20 +263,20 @@ the specific language governing permissions and limitations under the Apache Lic
263263 return sizer . width ( ) ;
264264 }
265265
266- function markMatch ( text , term , markup ) {
266+ function markMatch ( text , term , markup , escapeMarkup ) {
267267 var match = text . toUpperCase ( ) . indexOf ( term . toUpperCase ( ) ) ,
268268 tl = term . length ;
269269
270270 if ( match < 0 ) {
271- markup . push ( text ) ;
271+ markup . push ( escapeMarkup ( text ) ) ;
272272 return ;
273273 }
274274
275- markup . push ( text . substring ( 0 , match ) ) ;
275+ markup . push ( escapeMarkup ( text . substring ( 0 , match ) ) ) ;
276276 markup . push ( "<span class='select2-match'>" ) ;
277- markup . push ( text . substring ( match , match + tl ) ) ;
277+ markup . push ( escapeMarkup ( text . substring ( match , match + tl ) ) ) ;
278278 markup . push ( "</span>" ) ;
279- markup . push ( text . substring ( match + tl , text . length ) ) ;
279+ markup . push ( escapeMarkup ( text . substring ( match + tl , text . length ) ) ) ;
280280 }
281281
282282 /**
@@ -730,7 +730,7 @@ the specific language governing permissions and limitations under the Apache Lic
730730
731731 formatted = opts . formatResult ( result , label , query ) ;
732732 if ( formatted !== undefined ) {
733- label . html ( self . opts . escapeMarkup ( formatted ) ) ;
733+ label . html ( formatted ) ;
734734 }
735735
736736 node . append ( label ) ;
@@ -1231,7 +1231,7 @@ the specific language governing permissions and limitations under the Apache Lic
12311231 }
12321232
12331233 function render ( html ) {
1234- results . html ( self . opts . escapeMarkup ( html ) ) ;
1234+ results . html ( html ) ;
12351235 postRender ( ) ;
12361236 }
12371237
@@ -2420,7 +2420,7 @@ the specific language governing permissions and limitations under the Apache Lic
24202420 dropdownCssClass : "" ,
24212421 formatResult : function ( result , container , query ) {
24222422 var markup = [ ] ;
2423- markMatch ( result . text , query . term , markup ) ;
2423+ markMatch ( result . text , query . term , markup , this . escapeMarkup ) ;
24242424 return markup . join ( "" ) ;
24252425 } ,
24262426 formatSelection : function ( data , container ) {
@@ -2448,9 +2448,21 @@ the specific language governing permissions and limitations under the Apache Lic
24482448 tokenSeparators : [ ] ,
24492449 tokenizer : defaultTokenizer ,
24502450 escapeMarkup : function ( markup ) {
2451- if ( markup && typeof ( markup ) === "string" ) {
2452- return markup . replace ( / & / g, "&" ) ;
2453- }
2451+ var replace_map = {
2452+ '\\' : '\' ,
2453+ '&' : '&#amp;' ,
2454+ '<' : '&#lt;' ,
2455+ '>' : '&#rt;' ,
2456+ '"' : '&#quot;' ,
2457+ "'" : ''' ,
2458+ "/" : '/'
2459+ } ;
2460+ //'--': '--'
2461+
2462+ return String ( html ) . replace ( / [ & < > " ' / \\ ] / g, function ( match ) {
2463+ return replace_map [ match [ 0 ] ] ;
2464+ } ) ;
2465+
24542466 return markup ;
24552467 } ,
24562468 blurOnChange : false ,
0 commit comments