Skip to content

Commit 3536728

Browse files
committed
Merge pull request select2#691 from jelte12345/master
Fix XSS injection
2 parents 5f28280 + a65c080 commit 3536728

1 file changed

Lines changed: 23 additions & 11 deletions

File tree

select2.js

Lines changed: 23 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -263,20 +263,20 @@ the specific language governing permissions and limitations under the Apache Lic
263263
return sizer.width();
264264
}
265265

266-
function markMatch(text, term, markup) {
266+
function markMatch(text, term, markup, escapeMarkup) {
267267
var match=text.toUpperCase().indexOf(term.toUpperCase()),
268268
tl=term.length;
269269

270270
if (match<0) {
271-
markup.push(text);
271+
markup.push(escapeMarkup(text));
272272
return;
273273
}
274274

275-
markup.push(text.substring(0, match));
275+
markup.push(escapeMarkup(text.substring(0, match)));
276276
markup.push("<span class='select2-match'>");
277-
markup.push(text.substring(match, match + tl));
277+
markup.push(escapeMarkup(text.substring(match, match + tl)));
278278
markup.push("</span>");
279-
markup.push(text.substring(match + tl, text.length));
279+
markup.push(escapeMarkup(text.substring(match + tl, text.length)));
280280
}
281281

282282
/**
@@ -730,7 +730,7 @@ the specific language governing permissions and limitations under the Apache Lic
730730

731731
formatted=opts.formatResult(result, label, query);
732732
if (formatted!==undefined) {
733-
label.html(self.opts.escapeMarkup(formatted));
733+
label.html(formatted);
734734
}
735735

736736
node.append(label);
@@ -1231,7 +1231,7 @@ the specific language governing permissions and limitations under the Apache Lic
12311231
}
12321232

12331233
function render(html) {
1234-
results.html(self.opts.escapeMarkup(html));
1234+
results.html(html);
12351235
postRender();
12361236
}
12371237

@@ -2420,7 +2420,7 @@ the specific language governing permissions and limitations under the Apache Lic
24202420
dropdownCssClass: "",
24212421
formatResult: function(result, container, query) {
24222422
var markup=[];
2423-
markMatch(result.text, query.term, markup);
2423+
markMatch(result.text, query.term, markup, this.escapeMarkup);
24242424
return markup.join("");
24252425
},
24262426
formatSelection: function (data, container) {
@@ -2448,9 +2448,21 @@ the specific language governing permissions and limitations under the Apache Lic
24482448
tokenSeparators: [],
24492449
tokenizer: defaultTokenizer,
24502450
escapeMarkup: function (markup) {
2451-
if (markup && typeof(markup) === "string") {
2452-
return markup.replace(/&/g, "&amp;");
2453-
}
2451+
var replace_map = {
2452+
'\\': '&#92;',
2453+
'&': '&#amp;',
2454+
'<': '&#lt;',
2455+
'>': '&#rt;',
2456+
'"': '&#quot;',
2457+
"'": '&#39;',
2458+
"/": '&#x2F;'
2459+
};
2460+
//'--': '-&#45;'
2461+
2462+
return String(html).replace(/[&<>"'/\\]/g, function (match) {
2463+
return replace_map[match[0]];
2464+
});
2465+
24542466
return markup;
24552467
},
24562468
blurOnChange: false,

0 commit comments

Comments
 (0)