RetailCRM-Mirror/select2
1
0
Fork 0
mirror of synced 2024-11-25 22:36:03 +03:00
Code Issues Projects Releases Wiki Activity

Fixed option text encoding

Browse Source 
This fixes an issue when using a `<select>` where the elements were
created with XHTML-encoded characters to prevent any injection, as
they would be double-encoded and display incorrectly.

When using a `<select>`, we can assume that the data has already
been encoded because any XSS will have already run before we get to
it.  Because of this, we can just use `.text()` instead of `.html()`
to avoid any issues.

This also includes a test to ensure that this does not become an
issue in the future.

This closes https://github.com/select2/select2/issues/3115.
This commit is contained in:
Kevin Brown 2015-03-11 18:06:07 -04:00
parent b917754e55
commit 0da15aa586
8 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dist/js/select2.amd.full.js vendored
View File

@ -2563,7 +2563,7 @@ define('select2/data/select',[
if ($option.is('option')) {
data = {
id: $option.val(),
text: $option.html(),
text: $option.text(),
disabled: $option.prop('disabled'),
selected: $option.prop('selected'),
title: $option.prop('title')

2
dist/js/select2.amd.js vendored
View File

@ -2563,7 +2563,7 @@ define('select2/data/select',[
if ($option.is('option')) {
data = {
id: $option.val(),
text: $option.html(),
text: $option.text(),
disabled: $option.prop('disabled'),
selected: $option.prop('selected'),
title: $option.prop('title')

2
dist/js/select2.full.js vendored
View File

@ -3002,7 +3002,7 @@ define('select2/data/select',[
if ($option.is('option')) {
data = {
id: $option.val(),
text: $option.html(),
text: $option.text(),
disabled: $option.prop('disabled'),
selected: $option.prop('selected'),
title: $option.prop('title')

2
dist/js/select2.full.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
dist/js/select2.js vendored
View File

@ -3002,7 +3002,7 @@ define('select2/data/select',[
if ($option.is('option')) {
data = {
id: $option.val(),
text: $option.html(),
text: $option.text(),
disabled: $option.prop('disabled'),
selected: $option.prop('selected'),
title: $option.prop('title')

2
dist/js/select2.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
src/js/select2/data/select.js vendored
View File

@ -205,7 +205,7 @@ define([
if ($option.is('option')) {
data = {
id: $option.val(),
text: $option.html(),
text: $option.text(),
disabled: $option.prop('disabled'),
selected: $option.prop('selected'),
title: $option.prop('title')

13
tests/data/select-tests.js
View File

@ -439,3 +439,16 @@ test('multiple options with the same value are returned', function (assert) {
);
});
});
test('data objects use the text of the option', function (assert) {
var $select = $('#qunit-fixture .duplicates');
var data = new SelectData($select, options);
var $option = $('<option>&amp;</option>');
var item = data.item($option);
assert.equal(item.id, '&');
assert.equal(item.text, '&');
});