Skip to content

Commit a65c080

Browse files
committed
Make the escapeMarkup function escape html tags and some other characters and apply it to usefull places
1 parent 8e9a231 commit a65c080

1 file changed

Lines changed: 23 additions & 11 deletions

File tree

select2.js

Lines changed: 23 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -263,20 +263,20 @@ the specific language governing permissions and limitations under the Apache Lic
263263
return sizer.width();
264264
}
265265

266-
function markMatch(text, term, markup) {
266+
function markMatch(text, term, markup, escapeMarkup) {
267267
var match=text.toUpperCase().indexOf(term.toUpperCase()),
268268
tl=term.length;
269269

270270
if (match<0) {
271-
markup.push(text);
271+
markup.push(escapeMarkup(text));
272272
return;
273273
}
274274

275-
markup.push(text.substring(0, match));
275+
markup.push(escapeMarkup(text.substring(0, match)));
276276
markup.push("<span class='select2-match'>");
277-
markup.push(text.substring(match, match + tl));
277+
markup.push(escapeMarkup(text.substring(match, match + tl)));
278278
markup.push("</span>");
279-
markup.push(text.substring(match + tl, text.length));
279+
markup.push(escapeMarkup(text.substring(match + tl, text.length)));
280280
}
281281

282282
/**
@@ -730,7 +730,7 @@ the specific language governing permissions and limitations under the Apache Lic
730730

731731
formatted=opts.formatResult(result, label, query);
732732
if (formatted!==undefined) {
733-
label.html(self.opts.escapeMarkup(formatted));
733+
label.html(formatted);
734734
}
735735

736736
node.append(label);
@@ -1231,7 +1231,7 @@ the specific language governing permissions and limitations under the Apache Lic
12311231
}
12321232

12331233
function render(html) {
1234-
results.html(self.opts.escapeMarkup(html));
1234+
results.html(html);
12351235
postRender();
12361236
}
12371237

@@ -2412,7 +2412,7 @@ the specific language governing permissions and limitations under the Apache Lic
24122412
dropdownCssClass: "",
24132413
formatResult: function(result, container, query) {
24142414
var markup=[];
2415-
markMatch(result.text, query.term, markup);
2415+
markMatch(result.text, query.term, markup, this.escapeMarkup);
24162416
return markup.join("");
24172417
},
24182418
formatSelection: function (data, container) {
@@ -2440,9 +2440,21 @@ the specific language governing permissions and limitations under the Apache Lic
24402440
tokenSeparators: [],
24412441
tokenizer: defaultTokenizer,
24422442
escapeMarkup: function (markup) {
2443-
if (markup && typeof(markup) === "string") {
2444-
return markup.replace(/&/g, "&amp;");
2445-
}
2443+
var replace_map = {
2444+
'\\': '&#92;',
2445+
'&': '&#amp;',
2446+
'<': '&#lt;',
2447+
'>': '&#rt;',
2448+
'"': '&#quot;',
2449+
"'": '&#39;',
2450+
"/": '&#x2F;'
2451+
};
2452+
//'--': '-&#45;'
2453+
2454+
return String(html).replace(/[&<>"'/\\]/g, function (match) {
2455+
return replace_map[match[0]];
2456+
});
2457+
24462458
return markup;
24472459
},
24482460
blurOnChange: false

0 commit comments

Comments
 (0)