Escape HTML in more places

Wilson Lee · Wilson Lee · commit c0f9097e2698 · 2012-07-30T16:13:20.000-07:00
diff --git a/src/jquery.tokeninput.js b/src/jquery.tokeninput.js
@@ -34,7 +34,7 @@ var DEFAULT_SETTINGS = {
     zindex: 999,
     resultsLimit: null,
 
-    enableHTML: true,
+    enableHTML: false,
 
     resultsFormatter: function(item) {
       var string = item[this.propertyToSearch];
@@ -529,8 +529,7 @@ $.TokenList = function (input, url_or_data, settings) {
         if(input_val === (input_val = input_box.val())) {return;}
 
         // Enter new content into resizer and resize input accordingly
-        var escaped = input_val.replace(/&/g, '&amp;').replace(/\s/g,' ').replace(/</g, '&lt;').replace(/>/g, '&gt;');
-        input_resizer.html(escaped);
+        input_resizer.html(_escapeHTML(input_val));
         input_box.width(input_resizer.width() + 30);
     }
 
@@ -747,14 +746,14 @@ $.TokenList = function (input, url_or_data, settings) {
 
     function show_dropdown_searching () {
         if(settings.searchingText) {
-            dropdown.html("<p>"+settings.searchingText+"</p>");
+            dropdown.html("<p>" + escapeHTML(settings.searchingText) + "</p>");
             show_dropdown();
         }
     }
 
     function show_dropdown_hint () {
         if(settings.hintText) {
-            dropdown.html("<p>"+settings.hintText+"</p>");
+            dropdown.html("<p>" + escapeHTML(settings.hintText) + "</p>");
             show_dropdown();
         }
     }
@@ -766,7 +765,14 @@ $.TokenList = function (input, url_or_data, settings) {
 
     // Highlight the query part of the search term
     function highlight_term(value, term) {
-        return value.replace(new RegExp("(?![^&;]+;)(?!<[^<>]*)(" + regexp_escape(term) + ")(?![^<>]*>)(?![^&;]+;)", "gi"), "<b>$1</b>");
+        return value.replace(
+          new RegExp(
+            "(?![^&;]+;)(?!<[^<>]*)(" + regexp_escape(term) + ")(?![^<>]*>)(?![^&;]+;)",
+            "gi"
+          ), function(match, p1) {
+            return "<b>" + escapeHTML(p1) + "</b>";
+          }
+        );
     }
 
     function find_value_and_highlight_term(template, value, term) {
@@ -822,7 +828,7 @@ $.TokenList = function (input, url_or_data, settings) {
             }
         } else {
             if(settings.noResultsText) {
-                dropdown.html("<p>"+settings.noResultsText+"</p>");
+                dropdown.html("<p>" + escapeHTML(settings.noResultsText) + "</p>");
                 show_dropdown();
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ var DEFAULT_SETTINGS = {`
`34`	`34`	`zindex: 999,`
`35`	`35`	`resultsLimit: null,`
`36`	`36`
`37`		`- enableHTML: true,`
	`37`	`+ enableHTML: false,`
`38`	`38`
`39`	`39`	`resultsFormatter: function(item) {`
`40`	`40`	`var string = item[this.propertyToSearch];`
`@@ -529,8 +529,7 @@ $.TokenList = function (input, url_or_data, settings) {`
`529`	`529`	`if(input_val === (input_val = input_box.val())) {return;}`
`530`	`530`
`531`	`531`	`// Enter new content into resizer and resize input accordingly`
`532`		`- var escaped = input_val.replace(/&/g, '&').replace(/\s/g,' ').replace(/</g, '<').replace(/>/g, '>');`
`533`		`- input_resizer.html(escaped);`
	`532`	`+ input_resizer.html(_escapeHTML(input_val));`
`534`	`533`	`input_box.width(input_resizer.width() + 30);`
`535`	`534`	`}`
`536`	`535`
`@@ -747,14 +746,14 @@ $.TokenList = function (input, url_or_data, settings) {`
`747`	`746`
`748`	`747`	`function show_dropdown_searching () {`
`749`	`748`	`if(settings.searchingText) {`
`750`		`- dropdown.html("<p>"+settings.searchingText+"</p>");`
	`749`	`+ dropdown.html("<p>" + escapeHTML(settings.searchingText) + "</p>");`
`751`	`750`	`show_dropdown();`
`752`	`751`	`}`
`753`	`752`	`}`
`754`	`753`
`755`	`754`	`function show_dropdown_hint () {`
`756`	`755`	`if(settings.hintText) {`
`757`		`- dropdown.html("<p>"+settings.hintText+"</p>");`
	`756`	`+ dropdown.html("<p>" + escapeHTML(settings.hintText) + "</p>");`
`758`	`757`	`show_dropdown();`
`759`	`758`	`}`
`760`	`759`	`}`
`@@ -766,7 +765,14 @@ $.TokenList = function (input, url_or_data, settings) {`
`766`	`765`
`767`	`766`	`// Highlight the query part of the search term`
`768`	`767`	`function highlight_term(value, term) {`
`769`		`- return value.replace(new RegExp("(?![^&;]+;)(?!<[^<>])(" + regexp_escape(term) + ")(?![^<>]>)(?![^&;]+;)", "gi"), "<b>$1</b>");`
	`768`	`+ return value.replace(`
	`769`	`+ new RegExp(`
	`770`	`+ "(?![^&;]+;)(?!<[^<>])(" + regexp_escape(term) + ")(?![^<>]>)(?![^&;]+;)",`
	`771`	`+ "gi"`
	`772`	`+ ), function(match, p1) {`
	`773`	`+ return "<b>" + escapeHTML(p1) + "</b>";`
	`774`	`+ }`
	`775`	`+ );`
`770`	`776`	`}`
`771`	`777`
`772`	`778`	`function find_value_and_highlight_term(template, value, term) {`
`@@ -822,7 +828,7 @@ $.TokenList = function (input, url_or_data, settings) {`
`822`	`828`	`}`
`823`	`829`	`} else {`
`824`	`830`	`if(settings.noResultsText) {`
`825`		`- dropdown.html("<p>"+settings.noResultsText+"</p>");`
	`831`	`+ dropdown.html("<p>" + escapeHTML(settings.noResultsText) + "</p>");`
`826`	`832`	`show_dropdown();`
`827`	`833`	`}`
`828`	`834`	`}`