Skip to content

Commit 5a0f7f5

Browse files
kevin-brownkevin-brown
committed
Added back escapeMarkup
This is needed to escape any bad markup that is passed through user-entered data. Users can prevent their markup from being escaped by using a no-op `escapeMarkup` function. This closes select2#2990.
1 parent 0146181 commit 5a0f7f5

16 files changed

Lines changed: 211 additions & 19 deletions

dist/js/select2.amd.full.js

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,22 @@ define(['jquery'], function ($) {define('select2/utils',[
220220
$el.innerWidth() < el.scrollWidth);
221221
};
222222

223+
Utils.escapeMarkup = function (markup) {
224+
var replaceMap = {
225+
'\\': '&#92;',
226+
'&': '&amp;',
227+
'<': '&lt;',
228+
'>': '&gt;',
229+
'"': '&quot;',
230+
'\'': '&#39;',
231+
'/': '&#47;'
232+
};
233+
234+
return String(markup).replace(/[&<>"'\/\\]/g, function (match) {
235+
return replaceMap[match];
236+
});
237+
};
238+
223239
return Utils;
224240
});
225241

@@ -698,13 +714,14 @@ define('select2/results',[
698714

699715
Results.prototype.template = function (result, container) {
700716
var template = this.options.get('templateResult');
717+
var escapeMarkup = this.options.get('escapeMarkup');
701718

702719
var content = template(result);
703720

704721
if (content == null) {
705722
container.style.display = 'none';
706723
} else {
707-
container.innerHTML = content;
724+
container.innerHTML = escapeMarkup(content);
708725
}
709726
};
710727

@@ -942,8 +959,9 @@ define('select2/selection/single',[
942959

943960
SingleSelection.prototype.display = function (data) {
944961
var template = this.options.get('templateSelection');
962+
var escapeMarkup = this.options.get('escapeMarkup');
945963

946-
return template(data);
964+
return escapeMarkup(template(data));
947965
};
948966

949967
SingleSelection.prototype.selectionContainer = function () {
@@ -1020,8 +1038,9 @@ define('select2/selection/multiple',[
10201038

10211039
MultipleSelection.prototype.display = function (data) {
10221040
var template = this.options.get('templateSelection');
1041+
var escapeMarkup = this.options.get('escapeMarkup');
10231042

1024-
return template(data);
1043+
return escapeMarkup(template(data));
10251044
};
10261045

10271046
MultipleSelection.prototype.selectionContainer = function () {
@@ -3894,6 +3913,7 @@ define('select2/defaults',[
38943913
this.defaults = {
38953914
amdBase: 'select2/',
38963915
amdLanguageBase: 'select2/i18n/',
3916+
escapeMarkup: Utils.escapeMarkup,
38973917
language: EnglishTranslation,
38983918
matcher: matcher,
38993919
minimumInputLength: 0,

dist/js/select2.amd.js

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,22 @@ define(['jquery'], function ($) {define('select2/utils',[
220220
$el.innerWidth() < el.scrollWidth);
221221
};
222222

223+
Utils.escapeMarkup = function (markup) {
224+
var replaceMap = {
225+
'\\': '&#92;',
226+
'&': '&amp;',
227+
'<': '&lt;',
228+
'>': '&gt;',
229+
'"': '&quot;',
230+
'\'': '&#39;',
231+
'/': '&#47;'
232+
};
233+
234+
return String(markup).replace(/[&<>"'\/\\]/g, function (match) {
235+
return replaceMap[match];
236+
});
237+
};
238+
223239
return Utils;
224240
});
225241

@@ -698,13 +714,14 @@ define('select2/results',[
698714

699715
Results.prototype.template = function (result, container) {
700716
var template = this.options.get('templateResult');
717+
var escapeMarkup = this.options.get('escapeMarkup');
701718

702719
var content = template(result);
703720

704721
if (content == null) {
705722
container.style.display = 'none';
706723
} else {
707-
container.innerHTML = content;
724+
container.innerHTML = escapeMarkup(content);
708725
}
709726
};
710727

@@ -942,8 +959,9 @@ define('select2/selection/single',[
942959

943960
SingleSelection.prototype.display = function (data) {
944961
var template = this.options.get('templateSelection');
962+
var escapeMarkup = this.options.get('escapeMarkup');
945963

946-
return template(data);
964+
return escapeMarkup(template(data));
947965
};
948966

949967
SingleSelection.prototype.selectionContainer = function () {
@@ -1020,8 +1038,9 @@ define('select2/selection/multiple',[
10201038

10211039
MultipleSelection.prototype.display = function (data) {
10221040
var template = this.options.get('templateSelection');
1041+
var escapeMarkup = this.options.get('escapeMarkup');
10231042

1024-
return template(data);
1043+
return escapeMarkup(template(data));
10251044
};
10261045

10271046
MultipleSelection.prototype.selectionContainer = function () {
@@ -3894,6 +3913,7 @@ define('select2/defaults',[
38943913
this.defaults = {
38953914
amdBase: 'select2/',
38963915
amdLanguageBase: 'select2/i18n/',
3916+
escapeMarkup: Utils.escapeMarkup,
38973917
language: EnglishTranslation,
38983918
matcher: matcher,
38993919
minimumInputLength: 0,

dist/js/select2.full.js

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -658,6 +658,22 @@ define('select2/utils',[
658658
$el.innerWidth() < el.scrollWidth);
659659
};
660660

661+
Utils.escapeMarkup = function (markup) {
662+
var replaceMap = {
663+
'\\': '&#92;',
664+
'&': '&amp;',
665+
'<': '&lt;',
666+
'>': '&gt;',
667+
'"': '&quot;',
668+
'\'': '&#39;',
669+
'/': '&#47;'
670+
};
671+
672+
return String(markup).replace(/[&<>"'\/\\]/g, function (match) {
673+
return replaceMap[match];
674+
});
675+
};
676+
661677
return Utils;
662678
});
663679

@@ -1136,13 +1152,14 @@ define('select2/results',[
11361152

11371153
Results.prototype.template = function (result, container) {
11381154
var template = this.options.get('templateResult');
1155+
var escapeMarkup = this.options.get('escapeMarkup');
11391156

11401157
var content = template(result);
11411158

11421159
if (content == null) {
11431160
container.style.display = 'none';
11441161
} else {
1145-
container.innerHTML = content;
1162+
container.innerHTML = escapeMarkup(content);
11461163
}
11471164
};
11481165

@@ -1380,8 +1397,9 @@ define('select2/selection/single',[
13801397

13811398
SingleSelection.prototype.display = function (data) {
13821399
var template = this.options.get('templateSelection');
1400+
var escapeMarkup = this.options.get('escapeMarkup');
13831401

1384-
return template(data);
1402+
return escapeMarkup(template(data));
13851403
};
13861404

13871405
SingleSelection.prototype.selectionContainer = function () {
@@ -1458,8 +1476,9 @@ define('select2/selection/multiple',[
14581476

14591477
MultipleSelection.prototype.display = function (data) {
14601478
var template = this.options.get('templateSelection');
1479+
var escapeMarkup = this.options.get('escapeMarkup');
14611480

1462-
return template(data);
1481+
return escapeMarkup(template(data));
14631482
};
14641483

14651484
MultipleSelection.prototype.selectionContainer = function () {
@@ -4332,6 +4351,7 @@ define('select2/defaults',[
43324351
this.defaults = {
43334352
amdBase: 'select2/',
43344353
amdLanguageBase: 'select2/i18n/',
4354+
escapeMarkup: Utils.escapeMarkup,
43354355
language: EnglishTranslation,
43364356
matcher: matcher,
43374357
minimumInputLength: 0,

dist/js/select2.full.min.js

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/js/select2.js

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -658,6 +658,22 @@ define('select2/utils',[
658658
$el.innerWidth() < el.scrollWidth);
659659
};
660660

661+
Utils.escapeMarkup = function (markup) {
662+
var replaceMap = {
663+
'\\': '&#92;',
664+
'&': '&amp;',
665+
'<': '&lt;',
666+
'>': '&gt;',
667+
'"': '&quot;',
668+
'\'': '&#39;',
669+
'/': '&#47;'
670+
};
671+
672+
return String(markup).replace(/[&<>"'\/\\]/g, function (match) {
673+
return replaceMap[match];
674+
});
675+
};
676+
661677
return Utils;
662678
});
663679

@@ -1136,13 +1152,14 @@ define('select2/results',[
11361152

11371153
Results.prototype.template = function (result, container) {
11381154
var template = this.options.get('templateResult');
1155+
var escapeMarkup = this.options.get('escapeMarkup');
11391156

11401157
var content = template(result);
11411158

11421159
if (content == null) {
11431160
container.style.display = 'none';
11441161
} else {
1145-
container.innerHTML = content;
1162+
container.innerHTML = escapeMarkup(content);
11461163
}
11471164
};
11481165

@@ -1380,8 +1397,9 @@ define('select2/selection/single',[
13801397

13811398
SingleSelection.prototype.display = function (data) {
13821399
var template = this.options.get('templateSelection');
1400+
var escapeMarkup = this.options.get('escapeMarkup');
13831401

1384-
return template(data);
1402+
return escapeMarkup(template(data));
13851403
};
13861404

13871405
SingleSelection.prototype.selectionContainer = function () {
@@ -1458,8 +1476,9 @@ define('select2/selection/multiple',[
14581476

14591477
MultipleSelection.prototype.display = function (data) {
14601478
var template = this.options.get('templateSelection');
1479+
var escapeMarkup = this.options.get('escapeMarkup');
14611480

1462-
return template(data);
1481+
return escapeMarkup(template(data));
14631482
};
14641483

14651484
MultipleSelection.prototype.selectionContainer = function () {
@@ -4332,6 +4351,7 @@ define('select2/defaults',[
43324351
this.defaults = {
43334352
amdBase: 'select2/',
43344353
amdLanguageBase: 'select2/i18n/',
4354+
escapeMarkup: Utils.escapeMarkup,
43354355
language: EnglishTranslation,
43364356
matcher: matcher,
43374357
minimumInputLength: 0,

dist/js/select2.min.js

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/examples.html

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -229,6 +229,7 @@ <h1>Loading remote data</h1>
229229
},
230230
cache: true
231231
},
232+
escapeMarkup: function (markup) { return markup; }, // let our custom formatter work
232233
minimumInputLength: 1,
233234
templateResult: formatRepo, // omitted for brevity, see the source of this page
234235
templateSelection: formatRepoSelection // omitted for brevity, see the source of this page
@@ -949,6 +950,7 @@ <h2>Example code</h2>
949950
},
950951
cache: true
951952
},
953+
escapeMarkup: function (markup) { return markup; },
952954
minimumInputLength: 1,
953955
templateResult: function (repo) {
954956
if (repo.loading) return repo.text;

src/js/select2/defaults.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -309,6 +309,7 @@ define([
309309
this.defaults = {
310310
amdBase: 'select2/',
311311
amdLanguageBase: 'select2/i18n/',
312+
escapeMarkup: Utils.escapeMarkup,
312313
language: EnglishTranslation,
313314
matcher: matcher,
314315
minimumInputLength: 0,

src/js/select2/results.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -473,13 +473,14 @@ define([
473473

474474
Results.prototype.template = function (result, container) {
475475
var template = this.options.get('templateResult');
476+
var escapeMarkup = this.options.get('escapeMarkup');
476477

477478
var content = template(result);
478479

479480
if (content == null) {
480481
container.style.display = 'none';
481482
} else {
482-
container.innerHTML = content;
483+
container.innerHTML = escapeMarkup(content);
483484
}
484485
};
485486

src/js/select2/selection/multiple.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,8 +52,9 @@ define([
5252

5353
MultipleSelection.prototype.display = function (data) {
5454
var template = this.options.get('templateSelection');
55+
var escapeMarkup = this.options.get('escapeMarkup');
5556

56-
return template(data);
57+
return escapeMarkup(template(data));
5758
};
5859

5960
MultipleSelection.prototype.selectionContainer = function () {

0 commit comments

Comments
 (0)