jquery / jquery-ui

Source
Commits
Network (212)
Graphs
Tree: 1f2cfb9

The official jQuery user interface library. — Read more

This URL has Read+Write access

Autocomplete: Render items as text, not HTML. Fixes #5275 - suggestions are not html-encoded.

As noted in the ticket, it's probably better to default to unstyled items to prevent problems. Users can still implement their own rendering method as shown in the custom data and display demo.

scottgonzalez (author)

Mon Jul 19 12:45:30 -0700 2010

commit 1f2cfb942f8ac5549b1f
tree e675788946bbe39bf323
parent 7deb873c51ede9fb5e8b

M	demos/autocomplete/combobox.html	6 •••••
M	demos/autocomplete/search.php	4 ••••
M	ui/jquery.ui.autocomplete.js	2 ••

demos/autocomplete/combobox.html

show inline notes
View file @ 1f2cfb9

...	...	@@ -54,6 +54,12 @@
54	54	minLength: 0
55	55	})
56	56	.addClass("ui-widget ui-widget-content ui-corner-left");
	57	+ input.data("autocomplete")._renderItem = function( ul, item) {
	58	+ return $( "<li></li>" )
	59	+ .data( "item.autocomplete", item )
	60	+ .append( "<a>" + item.label + "</a>" )
3
	61	+ .appendTo( ul );
	62	+ };
57	63	$("<button> </button>")
58	64	.attr("tabIndex", -1)
59	65	.attr("title", "Show All Items")

demos/autocomplete/search.php

View file @ 1f2cfb9

@@ -3,8 +3,8 @@
 $q = strtolower($_GET["term"]);
 if (!$q) return;
 $items = array(
-"Great <em>Bittern</em>"=>"Botaurus stellaris",
-"Little <em>Grebe</em>"=>"Tachybaptus ruficollis",
+"Great Bittern"=>"Botaurus stellaris",
+"Little Grebe"=>"Tachybaptus ruficollis",
 "Black-necked Grebe"=>"Podiceps nigricollis",
 "Little Bittern"=>"Ixobrychus minutus",
 "Black-crowned Night Heron"=>"Nycticorax nycticorax",

ui/jquery.ui.autocomplete.js

View file @ 1f2cfb9

@@ -304,7 +304,7 @@ $.widget( "ui.autocomplete", {
   _renderItem: function( ul, item) {
     return $( "<li></li>" )
       .data( "item.autocomplete", item )
-      .append( "<a>" + item.label + "</a>" )
+      .append( $( "<a></a>" ).text( item.label ) )
       .appendTo( ul );
   },
 

0 notes on commit `1f2cfb9` (3 line notes) Show line notes below

erikrose added a note to 1f2cfb9 demos/autocomplete/combobox.html:L60

Mon Jul 19 14:19:12 -0700 2010

Perhaps we should use text() as below so people don't copy this and end up in trouble when the label is "<script>doMaliciousStuff()</script>"?

scottgonzalez added a note to 1f2cfb9 demos/autocomplete/combobox.html:L60 repo collab

Mon Jul 19 14:48:02 -0700 2010

The combobox demo uses HTML to show highlighting, so we can't use .text().

erikrose added a note to 1f2cfb9 demos/autocomplete/combobox.html:L60

Mon Jul 19 14:49:50 -0700 2010

That's what I get for not reading the rest of the file. Never mind, and thanks for the awesome quick fix! :-D

Please log in to comment.

...	...	@@ -3,8 +3,8 @@
3	3	$q = strtolower($_GET["term"]);
4	4	if (!$q) return;
5	5	$items = array(
6		-"Great <em>Bittern</em>"=>"Botaurus stellaris",
7		-"Little <em>Grebe</em>"=>"Tachybaptus ruficollis",
	6	+"Great Bittern"=>"Botaurus stellaris",
	7	+"Little Grebe"=>"Tachybaptus ruficollis",
8	8	"Black-necked Grebe"=>"Podiceps nigricollis",
9	9	"Little Bittern"=>"Ixobrychus minutus",
10	10	"Black-crowned Night Heron"=>"Nycticorax nycticorax",

...	...	@@ -304,7 +304,7 @@ $.widget( "ui.autocomplete", {
304	304	_renderItem: function( ul, item) {
305	305	return $( "<li></li>" )
306	306	.data( "item.autocomplete", item )
307		- .append( "<a>" + item.label + "</a>" )
	307	+ .append( $( "<a></a>" ).text( item.label ) )
308	308	.appendTo( ul );
309	309	},
310	310

jquery / jquery-ui

0 notes on commit 1f2cfb9 (3 line notes) Show line notes below

Your current locale selection: English. Choose another?

0 notes on commit `1f2cfb9` (3 line notes) Show line notes below