Search and Top Navigation
#5275 closed bug (fixed)
Opened March 04, 2010 01:33PM UTC
Closed July 19, 2010 09:13PM UTC
Last modified November 19, 2010 06:26PM UTC
suggestions are not html-encoded
| Reported by: | wouter | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | 1.8.3 |
| Component: | ui.autocomplete | Version: | 1.8rc3 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
If a suggestion in the auto-complete list contains characters such as < or &, these are not html-encoded, possibly messing up the html.
(When the suggestion is clicked the value that appears in the textbox is html-encoded.)
This is the solution I used:
_renderItem: function( ul, item) {
var a = $("<a></a>").text(item.label);
return $( "<li></li>" )
.data( "item.autocomplete", item )
.append( a )
.appendTo( ul );
}
Attachments (0)
Change History (7)
Changed March 04, 2010 07:28PM UTC by comment:1
| resolution: | → invalid |
|---|---|
| status: | new → closed |
Changed July 08, 2010 10:13PM UTC by comment:2
| resolution: | invalid |
|---|---|
| status: | closed → reopened |
Using an HTML as a label is not a good way to customize display, as that HTML string is also the string that the widget will be regexp-filtering on (which is most likely not what the user wanted to do).
It would be nice to have _renderItem, by default, assume item.label is plaintext and Do The Safe Thing. More sophisticated users can override this behavior if they want to use fancy html (as the custom renderer demo does here: http://jqueryui.com/demos/autocomplete/#custom-data)
Changed July 19, 2010 05:30PM UTC by comment:3
Also, the HTML string is, by default, what will appear in the text field once chosen. I add my vote for HTML escaping by default.
Changed July 19, 2010 05:31PM UTC by comment:4
Er, never mind; you already said that. *needs breakfast*
Changed July 19, 2010 09:13PM UTC by comment:5
| milestone: | TBD → 1.9 |
|---|---|
| resolution: | → fixed |
| status: | reopened → closed |
Defaulting to plaintext and defining your own render method for HTML and other complex displays makes sense. Fixed in 1f2cfb9.
Changed August 04, 2010 01:26AM UTC by comment:6
| milestone: | 1.9 → 1.8.3 |
|---|
Changed November 19, 2010 06:26PM UTC by comment:7
Autocomplete: Render items as text, not HTML. Fixes #5275 - suggestions are not html-encoded.
As noted in the ticket, it's probably better to default to unstyled items to prevent problems. Users can still implement their own rendering method as shown in the custom data and display demo.
Changeset: 1f2cfb942f8ac5549b1fe3172501e3486415530e
This is intended, to allow flexibility in the displays. If you want to prevent using HTML and only allow text, you can change the behavior. If you need help, please ask on the forum.