[Dropdown] Remote content should handle quotes in item value properly

[hejmsdz]

When a JSON response for a remote dropdown contains quotes inside a string, it's misinterpreted as the end of an attribute. See http://jsfiddle.net/1xLsau44/10/ and try inspecting $(".menu").

[thekid]

The above jsfiddle does not work anymore, but I've experienced the same problem.

JSON

This is what the server returns:

[{"label":"He said: \"" is a quote\"","value":"hello-html","created":"2017-09-03"}]

Wiring

This is the onResponse() handler I use to transform the results:

$('.ui.dropdown').dropdown({
  apiSettings: {
    url: '/topics/complete?term={query}',
    onResponse: function(results) {
      var response = { success : true, results : []};
      $.each(results, function(index, item) {
        var topic = escapeHTML(item.label);
        response.results.push({
          name  : null === item.created ? '+ ' + topic : topic,
          value : topic,
          text  : escapeHTML(topic)   // Yes, it needs to be escaped twice!
        });
      });
      return response;
    }
  }
});

escapeHTML() takes care of replacing <>"& with their respective entities

Observations

• First of all, needing to escape HTML in the results is weird; I assume this is so HTML fragments can be inserted; same goes for .search(), so it seems intentional.
• Having to escape twice for the text key feels like a bug (try with HTML fragments such as <script>alert(1)</script> to see the effect if omitted!)
• I found Values with double quotes raises error UI-Dropdown#8 which is closed and seems to have addressed a similar issue by replacing " with ". This turns He said: "" is a quote" into He said: "" is a quote", which is definitely a bug - the value is no longer the same

Fix

I've put together a fix at https://gist.github.com/thekid/39580dba8dba5b227d5ab57f4ca5ac5e. The diff is against semantic.js from the dist folder, the real fix will probably need to be made over at https://github.com/Semantic-Org/UI-Dropdown

[stale]

There has been no activity in this thread for 90 days. While we care about every issue and we’d love to see this fixed, the core team’s time is limited so we have to focus our attention on the issues that are most pressing. Therefore, we will likely not be able to get to this one.

However, PRs for this issue will of course be accepted and welcome!

If there is no more activity in the next 90 days, this issue will be closed automatically for housekeeping. To prevent this, simply leave a reply here. Thanks!

[thekid]

This is a confirmed bug, how can I aid in fixing it? Can you give me some directions?

[jbwl]

This is pretty crucial for select tags containing arbitrary data for option values - I'd like this fixed please.

[jbwl]

As this wasn't addressed in 2.4., I'd like to find a solution here, even if it's a workaround or hack.

[jbwl]

Another release (2.4.1) and it seems this bug hasn't been addressed, at least according to the changelog. Please let us know how we can assist you.