Skip to content

Commit bb51eb7

Browse files
committed
double escape markup populated via html() and append(). fixes select2#269
1 parent 3e42cae commit bb51eb7

1 file changed

Lines changed: 8 additions & 6 deletions

File tree

select2.js

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,8 @@
9292

9393
nextUid=(function() { var counter=1; return function() { return counter++; }; }());
9494

95+
function escapeMarkup(markup) { return markup.replace("&", "&"); }
96+
9597
function indexOf(value, array) {
9698
var i = 0, l = array.length, v;
9799

@@ -596,7 +598,7 @@
596598

597599
formatted=opts.formatResult(result, label, query);
598600
if (formatted!==undefined) {
599-
label.html(formatted);
601+
label.html(escapeMarkup(formatted));
600602
}
601603

602604
node.append(label);
@@ -1021,7 +1023,7 @@
10211023
}
10221024

10231025
function render(html) {
1024-
results.html(html);
1026+
results.html(escapeMarkup(html));
10251027
postRender();
10261028
}
10271029

@@ -1064,7 +1066,7 @@
10641066
self.opts.populateResults.call(this, results, data.results, {term: search.val(), page: this.resultsPage, context:null});
10651067

10661068
if (data.more === true) {
1067-
results.children().filter(":last").append("<li class='select2-more-results'>" + opts.formatLoadMore(this.resultsPage) + "</li>");
1069+
results.children().filter(":last").append("<li class='select2-more-results'>" + escapeMarkup(opts.formatLoadMore(this.resultsPage)) + "</li>");
10681070
window.setTimeout(function() { self.loadMoreIfNeeded(); }, 10);
10691071
}
10701072

@@ -1424,7 +1426,7 @@
14241426
// check for a first blank option if attached to a select
14251427
if (this.select && this.select.find("option:first").text() !== "") return;
14261428

1427-
this.selection.find("span").html(placeholder);
1429+
this.selection.find("span").html(escapeMarkup(placeholder));
14281430

14291431
this.selection.addClass("select2-default");
14301432

@@ -1485,7 +1487,7 @@
14851487
container.empty();
14861488
formatted=this.opts.formatSelection(data, container);
14871489
if (formatted !== undefined) {
1488-
container.append(formatted);
1490+
container.append(escapeMarkup(formatted));
14891491
}
14901492

14911493
this.selection.removeClass("select2-default");
@@ -1841,7 +1843,7 @@
18411843
formatted;
18421844

18431845
formatted=this.opts.formatSelection(data, choice);
1844-
choice.find("div").replaceWith("<div>"+formatted+"</div>");
1846+
choice.find("div").replaceWith("<div>"+escapeMarkup(formatted)+"</div>");
18451847
choice.find(".select2-search-choice-close")
18461848
.bind("click dblclick", this.bind(function (e) {
18471849
if (!this.enabled) return;

0 commit comments

Comments
 (0)