-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid from Html injection #372
base: master
Are you sure you want to change the base?
Conversation
I added a function that encoding the html tags to avoid html injection.
@@ -298,7 +298,7 @@ var EasyAutocomplete = (function(scope) { | |||
.mouseout(function() { | |||
config.get("list").onMouseOutEvent(); | |||
}) | |||
.html(template.build(highlight(elementsValue, phrase), listData[j])); | |||
.html(template.build(highlight(htmlEntities(elementsValue), phrase), listData[j])); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to add a config flag for this HTML injection feature, so a user can decide whether they want to use it or not. It can be enabled by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah you are right. I forget the flags. I will check it tonight.
@@ -316,6 +316,10 @@ var EasyAutocomplete = (function(scope) { | |||
|
|||
$field.after($elements_container); | |||
} | |||
|
|||
function htmlEntities(str) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you rename this method to striHTMLTags?
I added a function that encoding the html tags to avoid html injection.