|
92 | 92 |
|
93 | 93 | nextUid=(function() { var counter=1; return function() { return counter++; }; }()); |
94 | 94 |
|
| 95 | + function escapeMarkup(markup) { return markup.replace("&", "&"); } |
| 96 | + |
95 | 97 | function indexOf(value, array) { |
96 | 98 | var i = 0, l = array.length, v; |
97 | 99 |
|
|
596 | 598 |
|
597 | 599 | formatted=opts.formatResult(result, label, query); |
598 | 600 | if (formatted!==undefined) { |
599 | | - label.html(formatted); |
| 601 | + label.html(escapeMarkup(formatted)); |
600 | 602 | } |
601 | 603 |
|
602 | 604 | node.append(label); |
|
1021 | 1023 | } |
1022 | 1024 |
|
1023 | 1025 | function render(html) { |
1024 | | - results.html(html); |
| 1026 | + results.html(escapeMarkup(html)); |
1025 | 1027 | postRender(); |
1026 | 1028 | } |
1027 | 1029 |
|
|
1064 | 1066 | self.opts.populateResults.call(this, results, data.results, {term: search.val(), page: this.resultsPage, context:null}); |
1065 | 1067 |
|
1066 | 1068 | if (data.more === true) { |
1067 | | - results.children().filter(":last").append("<li class='select2-more-results'>" + opts.formatLoadMore(this.resultsPage) + "</li>"); |
| 1069 | + results.children().filter(":last").append("<li class='select2-more-results'>" + escapeMarkup(opts.formatLoadMore(this.resultsPage)) + "</li>"); |
1068 | 1070 | window.setTimeout(function() { self.loadMoreIfNeeded(); }, 10); |
1069 | 1071 | } |
1070 | 1072 |
|
|
1424 | 1426 | // check for a first blank option if attached to a select |
1425 | 1427 | if (this.select && this.select.find("option:first").text() !== "") return; |
1426 | 1428 |
|
1427 | | - this.selection.find("span").html(placeholder); |
| 1429 | + this.selection.find("span").html(escapeMarkup(placeholder)); |
1428 | 1430 |
|
1429 | 1431 | this.selection.addClass("select2-default"); |
1430 | 1432 |
|
|
1485 | 1487 | container.empty(); |
1486 | 1488 | formatted=this.opts.formatSelection(data, container); |
1487 | 1489 | if (formatted !== undefined) { |
1488 | | - container.append(formatted); |
| 1490 | + container.append(escapeMarkup(formatted)); |
1489 | 1491 | } |
1490 | 1492 |
|
1491 | 1493 | this.selection.removeClass("select2-default"); |
|
1841 | 1843 | formatted; |
1842 | 1844 |
|
1843 | 1845 | formatted=this.opts.formatSelection(data, choice); |
1844 | | - choice.find("div").replaceWith("<div>"+formatted+"</div>"); |
| 1846 | + choice.find("div").replaceWith("<div>"+escapeMarkup(formatted)+"</div>"); |
1845 | 1847 | choice.find(".select2-search-choice-close") |
1846 | 1848 | .bind("click dblclick", this.bind(function (e) { |
1847 | 1849 | if (!this.enabled) return; |
|
0 commit comments