From 0557c7b4ecbba64fd7123d1f457f949f42794212 Mon Sep 17 00:00:00 2001 From: Ivan Virabyan Date: Mon, 16 Feb 2015 13:39:26 +0300 Subject: [PATCH] Escape html put into the highlighter --- jquery.mentions.coffee | 15 ++++++++++++++- jquery.mentions.js | 19 +++++++++++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/jquery.mentions.coffee b/jquery.mentions.coffee index 97749de..dd0aa3b 100644 --- a/jquery.mentions.coffee +++ b/jquery.mentions.coffee @@ -11,6 +11,19 @@ Selection = input[0].selectStart = start input[0].selectionEnd = end +entityMap = + "&": "&" + "<": "<" + ">": ">" + "\"": """ + "'": "'" + "/": "/" + + +escapeHtml = (text) -> + text.replace /[&<>"'\/]/g, (s) -> + entityMap[s] + settings = delay: 0 @@ -293,7 +306,7 @@ class MentionsInput extends MentionsBase @_addMention(name: ui.item.value, pos: ui.item.pos, uid: ui.item.uid) _updateValue: => - value = hlContent = @input.val() + value = hlContent = escapeHtml(@input.val()) for mention in @mentions markedName = @_mark(mention.name) hlContent = hlContent.replace(markedName, "#{mention.name}") diff --git a/jquery.mentions.js b/jquery.mentions.js index 71efb08..15699bc 100644 --- a/jquery.mentions.js +++ b/jquery.mentions.js @@ -1,6 +1,6 @@ // Generated by CoffeeScript 1.7.1 (function() { - var MentionsBase, MentionsContenteditable, MentionsInput, Selection, namespace, settings, + var MentionsBase, MentionsContenteditable, MentionsInput, Selection, entityMap, escapeHtml, namespace, settings, __bind = function(fn, me){ return function(){ return fn.apply(me, arguments); }; }, __hasProp = {}.hasOwnProperty, __extends = function(child, parent) { for (var key in parent) { if (__hasProp.call(parent, key)) child[key] = parent[key]; } function ctor() { this.constructor = child; } ctor.prototype = parent.prototype; child.prototype = new ctor(); child.__super__ = parent.prototype; return child; }, @@ -26,6 +26,21 @@ } }; + entityMap = { + "&": "&", + "<": "<", + ">": ">", + "\"": """, + "'": "'", + "/": "/" + }; + + escapeHtml = function(text) { + return text.replace(/[&<>"'\/]/g, function(s) { + return entityMap[s]; + }); + }; + settings = { delay: 0, trigger: '@', @@ -390,7 +405,7 @@ MentionsInput.prototype._updateValue = function() { var hlContent, markedName, mention, value, _i, _len, _ref; - value = hlContent = this.input.val(); + value = hlContent = escapeHtml(this.input.val()); _ref = this.mentions; for (_i = 0, _len = _ref.length; _i < _len; _i++) { mention = _ref[_i];