Skip to content

Commit

Permalink
escape default text
Browse files Browse the repository at this point in the history 
fixes #2314
  • Loading branch information
@koenpunt
koenpunt committed Oct 1, 2016
1 parent 439a711 commit 5802305
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 3 deletions.
7 changes: 5 additions & 2 deletions coffee/chosen.jquery.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ class Chosen extends AbstractChosen
if @is_multiple
@container.html '<ul class="chosen-choices"><li class="search-field"><input type="text" value="' + @default_text + '" class="default" autocomplete="off" style="width:25px;" /></li></ul><div class="chosen-drop"><ul class="chosen-results"></ul></div>'
else
@container.html '<a class="chosen-single chosen-default"><span>' + @default_text + '</span><div><b></b></div></a><div class="chosen-drop"><div class="chosen-search"><input type="text" autocomplete="off" /></div><ul class="chosen-results"></ul></div>'
@container.html '<a class="chosen-single chosen-default"><span>' + this.escape_html(@default_text) + '</span><div><b></b></div></a><div class="chosen-drop"><div class="chosen-search"><input type="text" autocomplete="off" /></div><ul class="chosen-results"></ul></div>'

@form_field_jq.hide().after @container
@dropdown = @container.find('div.chosen-drop').first()
Expand Down Expand Up @@ -403,7 +403,10 @@ class Chosen extends AbstractChosen
@selected_item.addClass("chosen-single-with-deselect")

get_search_text: ->
$('<div/>').text($.trim(@search_field.val())).html()
this.escape_html $.trim(@search_field.val())

escape_html: (text) ->
$('<div/>').text(text).html()

winnow_results_set_highlight: ->
selected_results = if not @is_multiple then @search_results.find(".result-selected.active-result") else []
Expand Down
5 changes: 4 additions & 1 deletion coffee/chosen.proto.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -393,7 +393,10 @@ class @Chosen extends AbstractChosen
@selected_item.addClassName("chosen-single-with-deselect")

get_search_text: ->
@search_field.value.strip().escapeHTML()
this.escape_html @search_field.value.strip()

escape_html: (text) ->
text.escapeHTML()

winnow_results_set_highlight: ->
if not @is_multiple
Expand Down
2 changes: 2 additions & 0 deletions coffee/lib/abstract-chosen.coffee
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ class AbstractChosen
else
@default_text = @options.placeholder_text_single || @options.placeholder_text || AbstractChosen.default_single_text

@default_text = this.escape_html(@default_text)

@results_none_found = @form_field.getAttribute("data-no_results_text") || @options.no_results_text || AbstractChosen.default_no_result_text

choice_label: (item) ->
Expand Down

0 comments on commit 5802305

Please # to comment.