Home Explore Help
Sign In
hugh
/
select2
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fixed option text encoding

This fixes an issue when using a `<select>` where the elements were
created with XHTML-encoded characters to prevent any injection, as
they would be double-encoded and display incorrectly.

When using a `<select>`, we can assume that the data has already
been encoded because any XSS will have already run before we get to
it.  Because of this, we can just use `.text()` instead of `.html()`
to avoid any issues.

This also includes a test to ensure that this does not become an
issue in the future.

This closes https://github.com/select2/select2/issues/3115.
Kevin Brown 10 years ago
parent
b917754e55
commit
0da15aa586
8 changed files with 18 additions and 5 deletions
Split View Show Diff Stats
  1. 1 1
      dist/js/select2.amd.full.js
  2. 1 1
      dist/js/select2.amd.js
  3. 1 1
      dist/js/select2.full.js
  4. 0 0
      dist/js/select2.full.min.js
  5. 1 1
      dist/js/select2.js
  6. 0 0
      dist/js/select2.min.js
  7. 1 1
      src/js/select2/data/select.js
  8. 13 0
      tests/data/select-tests.js

+ 1 - 1
dist/js/select2.amd.full.js
View File 

@@ -2563,7 +2563,7 @@ define('select2/data/select',[
 
     if ($option.is('option')) {
 
       data = {
 
         id: $option.val(),
 
-        text: $option.html(),
 
+        text: $option.text(),
 
         disabled: $option.prop('disabled'),
 
         selected: $option.prop('selected'),
 
         title: $option.prop('title')

+ 1 - 1
dist/js/select2.amd.js
View File 

@@ -2563,7 +2563,7 @@ define('select2/data/select',[
 
     if ($option.is('option')) {
 
       data = {
 
         id: $option.val(),
 
-        text: $option.html(),
 
+        text: $option.text(),
 
         disabled: $option.prop('disabled'),
 
         selected: $option.prop('selected'),
 
         title: $option.prop('title')

+ 1 - 1
dist/js/select2.full.js
View File 

@@ -3002,7 +3002,7 @@ define('select2/data/select',[
 
     if ($option.is('option')) {
 
       data = {
 
         id: $option.val(),
 
-        text: $option.html(),
 
+        text: $option.text(),
 
         disabled: $option.prop('disabled'),
 
         selected: $option.prop('selected'),
 
         title: $option.prop('title')

File diff suppressed because it is too large
+ 0 - 0
dist/js/select2.full.min.js


+ 1 - 1
dist/js/select2.js
View File 

@@ -3002,7 +3002,7 @@ define('select2/data/select',[
 
     if ($option.is('option')) {
 
       data = {
 
         id: $option.val(),
 
-        text: $option.html(),
 
+        text: $option.text(),
 
         disabled: $option.prop('disabled'),
 
         selected: $option.prop('selected'),
 
         title: $option.prop('title')

File diff suppressed because it is too large
+ 0 - 0
dist/js/select2.min.js


+ 1 - 1
src/js/select2/data/select.js
View File 

@@ -205,7 +205,7 @@ define([
 
     if ($option.is('option')) {
 
       data = {
 
         id: $option.val(),
 
-        text: $option.html(),
 
+        text: $option.text(),
 
         disabled: $option.prop('disabled'),
 
         selected: $option.prop('selected'),
 
         title: $option.prop('title')

+ 13 - 0
tests/data/select-tests.js
View File 

@@ -439,3 +439,16 @@ test('multiple options with the same value are returned', function (assert) {
 
     );
 
   });
 
 });
 
+
 
+test('data objects use the text of the option', function (assert) {
 
+  var $select = $('#qunit-fixture .duplicates');
 
+
 
+  var data = new SelectData($select, options);
 
+
 
+  var $option = $('<option>&amp;</option>');
 
+
 
+  var item = data.item($option);
 
+
 
+  assert.equal(item.id, '&');
 
+  assert.equal(item.text, '&');
 
+});

Some files were not shown because too many files changed in this diff