@@ -263,20 +263,20 @@ the specific language governing permissions and limitations under the Apache Lic
263263 return sizer . width ( ) ;
264264 }
265265
266- function markMatch ( text , term , markup ) {
266+ function markMatch ( text , term , markup , escapeMarkup ) {
267267 var match = text . toUpperCase ( ) . indexOf ( term . toUpperCase ( ) ) ,
268268 tl = term . length ;
269269
270270 if ( match < 0 ) {
271- markup . push ( text ) ;
271+ markup . push ( escapeMarkup ( text ) ) ;
272272 return ;
273273 }
274274
275- markup . push ( text . substring ( 0 , match ) ) ;
275+ markup . push ( escapeMarkup ( text . substring ( 0 , match ) ) ) ;
276276 markup . push ( "<span class='select2-match'>" ) ;
277- markup . push ( text . substring ( match , match + tl ) ) ;
277+ markup . push ( escapeMarkup ( text . substring ( match , match + tl ) ) ) ;
278278 markup . push ( "</span>" ) ;
279- markup . push ( text . substring ( match + tl , text . length ) ) ;
279+ markup . push ( escapeMarkup ( text . substring ( match + tl , text . length ) ) ) ;
280280 }
281281
282282 /**
@@ -730,7 +730,7 @@ the specific language governing permissions and limitations under the Apache Lic
730730
731731 formatted = opts . formatResult ( result , label , query ) ;
732732 if ( formatted !== undefined ) {
733- label . html ( self . opts . escapeMarkup ( formatted ) ) ;
733+ label . html ( formatted ) ;
734734 }
735735
736736 node . append ( label ) ;
@@ -1231,7 +1231,7 @@ the specific language governing permissions and limitations under the Apache Lic
12311231 }
12321232
12331233 function render ( html ) {
1234- results . html ( self . opts . escapeMarkup ( html ) ) ;
1234+ results . html ( html ) ;
12351235 postRender ( ) ;
12361236 }
12371237
@@ -2412,7 +2412,7 @@ the specific language governing permissions and limitations under the Apache Lic
24122412 dropdownCssClass : "" ,
24132413 formatResult : function ( result , container , query ) {
24142414 var markup = [ ] ;
2415- markMatch ( result . text , query . term , markup ) ;
2415+ markMatch ( result . text , query . term , markup , this . escapeMarkup ) ;
24162416 return markup . join ( "" ) ;
24172417 } ,
24182418 formatSelection : function ( data , container ) {
@@ -2440,9 +2440,21 @@ the specific language governing permissions and limitations under the Apache Lic
24402440 tokenSeparators : [ ] ,
24412441 tokenizer : defaultTokenizer ,
24422442 escapeMarkup : function ( markup ) {
2443- if ( markup && typeof ( markup ) === "string" ) {
2444- return markup . replace ( / & / g, "&" ) ;
2445- }
2443+ var replace_map = {
2444+ '\\' : '\' ,
2445+ '&' : '&#amp;' ,
2446+ '<' : '&#lt;' ,
2447+ '>' : '&#rt;' ,
2448+ '"' : '&#quot;' ,
2449+ "'" : ''' ,
2450+ "/" : '/'
2451+ } ;
2452+ //'--': '--'
2453+
2454+ return String ( html ) . replace ( / [ & < > " ' / \\ ] / g, function ( match ) {
2455+ return replace_map [ match [ 0 ] ] ;
2456+ } ) ;
2457+
24462458 return markup ;
24472459 } ,
24482460 blurOnChange : false
0 commit comments