Fixed #54 - Support correct HTML encoding

gfranko · Nov 21, 2012 · 5d3d13e · 5d3d13e
1 parent a43da71
commit 5d3d13e
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 7 deletions.
diff --git a/demos/default.html b/demos/default.html
@@ -14,7 +14,7 @@
 <form>
 <select id="test">
   <option value="Select a Month bithcesdjaldkjlakjs">Select a Month</option>
-  <option value="January">January</option>
+  <option value="1">Some Text &lt;strike&gt;bad&lt;/strike&gt; good</option>
   <option value="February">February</option>
   <option value="March">March</option>
   <option value="April">April</option>

diff --git a/src/javascripts/jquery.selectBoxIt.core.js b/src/javascripts/jquery.selectBoxIt.core.js
@@ -337,8 +337,8 @@
 
                 }
 
-                // Uses Array.join instead of string concatenation for speed (applies HTML attribute encoding for quotes)
-                currentItem += optgroupElement + '<li id="' + index + '" data-val="' + this.value.replace(/\"/g,'&quot;') + '" data-disabled="' + dataDisabled + '" class="' + optgroupClass + " selectboxit-option" + ($(this).attr("class") || "") + '" style="' + ($(this).attr("style") || "") + '"><a class="selectboxit-option-anchor"><i class="selectboxit-option-icon ' + iconClass + '"></i>' + $(this).text() + '</a></li>';
+                // Uses Array.join instead of string concatenation for speed (applies HTML attribute encoding)
+                currentItem += optgroupElement + '<li id="' + index + '" data-val="' + self.htmlEscape(this.value) + '" data-disabled="' + dataDisabled + '" class="' + optgroupClass + " selectboxit-option" + ($(this).attr("class") || "") + '" style="' + ($(this).attr("style") || "") + '"><a class="selectboxit-option-anchor"><i class="selectboxit-option-icon ' + iconClass + '"></i>' + self.htmlEscape($(this).text()) + '</a></li>';
 
                 // Stores all of the original select box options text inside of an array
                 // (Used later in the `searchAlgorithm` method)
@@ -1442,6 +1442,17 @@
 
             });
 
+        },
+
+        htmlEscape: function(str) {
+
+            return String(str)
+                .replace(/&/g, '&amp;')
+                .replace(/"/g, '&quot;')
+                .replace(/'/g, '&#39;')
+                .replace(/</g, '&lt;')
+                .replace(/>/g, '&gt;');
+
         }
 
     });