suggestions are not html-encoded

[wouter]

If a suggestion in the auto-complete list contains characters such as < or &, these are not html-encoded, possibly messing up the html.

(When the suggestion is clicked the value that appears in the textbox is html-encoded.)

This is the solution I used:

	_renderItem: function( ul, item) {
		var a = $("<a></a>").text(item.label);
		return $( "<li></li>" )
			.data( "item.autocomplete", item )
			.append( a )
			.appendTo( ul );
	}

[scott.gonzalez]

This is intended, to allow flexibility in the displays. If you want to prevent using HTML and only allow text, you can change the behavior. If you need help, please ask on the  forum.

[chungwu]

Using an HTML as a label is not a good way to customize display, as that HTML string is also the string that the widget will be regexp-filtering on (which is most likely not what the user wanted to do).

It would be nice to have _renderItem, by default, assume item.label is plaintext and Do The Safe Thing. More sophisticated users can override this behavior if they want to use fancy html (as the custom renderer demo does here:  http://jqueryui.com/demos/autocomplete/#custom-data)

[erikrose]

Also, the HTML string is, by default, what will appear in the text field once chosen. I add my vote for HTML escaping by default.

[erikrose]

Er, never mind; you already said that. *needs breakfast*

[scott.gonzalez]

Defaulting to plaintext and defining your own render method for HTML and other complex displays makes sense. Fixed in  1f2cfb9.

[Scott González]

Autocomplete: Render items as text, not HTML. Fixes #5275 - suggestions are not html-encoded.

As noted in the ticket, it's probably better to default to unstyled items to prevent problems. Users can still implement their own rendering method as shown in the custom data and display demo.

Changeset: 1f2cfb942f8ac5549b1fe3172501e3486415530e