Skip to main content

Search and Top Navigation

#5275 closed bug (fixed)

Opened March 04, 2010 01:33PM UTC

Closed July 19, 2010 09:13PM UTC

Last modified November 19, 2010 06:26PM UTC

suggestions are not html-encoded

Reported by: wouter Owned by:
Priority: minor Milestone: 1.8.3
Component: ui.autocomplete Version: 1.8rc3
Keywords: Cc:
Blocked by: Blocking:
Description

If a suggestion in the auto-complete list contains characters such as < or &, these are not html-encoded, possibly messing up the html.

(When the suggestion is clicked the value that appears in the textbox is html-encoded.)

This is the solution I used:

	_renderItem: function( ul, item) {
		var a = $("<a></a>").text(item.label);
		return $( "<li></li>" )
			.data( "item.autocomplete", item )
			.append( a )
			.appendTo( ul );
	}
Attachments (0)
Change History (7)

Changed March 04, 2010 07:28PM UTC by scottgonzalez comment:1

resolution: → invalid
status: newclosed

This is intended, to allow flexibility in the displays. If you want to prevent using HTML and only allow text, you can change the behavior. If you need help, please ask on the forum.

Changed July 08, 2010 10:13PM UTC by chungwu comment:2

resolution: invalid
status: closedreopened

Using an HTML as a label is not a good way to customize display, as that HTML string is also the string that the widget will be regexp-filtering on (which is most likely not what the user wanted to do).

It would be nice to have _renderItem, by default, assume item.label is plaintext and Do The Safe Thing. More sophisticated users can override this behavior if they want to use fancy html (as the custom renderer demo does here: http://jqueryui.com/demos/autocomplete/#custom-data)

Changed July 19, 2010 05:30PM UTC by erikrose comment:3

Also, the HTML string is, by default, what will appear in the text field once chosen. I add my vote for HTML escaping by default.

Changed July 19, 2010 05:31PM UTC by erikrose comment:4

Er, never mind; you already said that. *needs breakfast*

Changed July 19, 2010 09:13PM UTC by scottgonzalez comment:5

milestone: TBD1.9
resolution: → fixed
status: reopenedclosed

Defaulting to plaintext and defining your own render method for HTML and other complex displays makes sense. Fixed in 1f2cfb9.

Changed August 04, 2010 01:26AM UTC by scottgonzalez comment:6

milestone: 1.91.8.3

Changed November 19, 2010 06:26PM UTC by Scott González comment:7

Autocomplete: Render items as text, not HTML. Fixes #5275 - suggestions are not html-encoded.

As noted in the ticket, it's probably better to default to unstyled items to prevent problems. Users can still implement their own rendering method as shown in the custom data and display demo.

Changeset: 1f2cfb942f8ac5549b1fe3172501e3486415530e