escape HTML from text options (fix #110)

author: Lou <louiscuny@gmail.com> 2014-01-28 14:44:26 +0100
committer: Lou <louiscuny@gmail.com> 2014-01-28 14:44:47 +0100
commit: 51e632801eb0a6096ef280096ae39c95a6aa3d05 (patch)
tree: fc1b9f223827bc6f39b609009bc529d78b1f4452 /js
parent: 65f9282a981fd4be371ee83580298c071a862c70 (diff)
download: multi-select-51e632801eb0a6096ef280096ae39c95a6aa3d05.zip
multi-select-51e632801eb0a6096ef280096ae39c95a6aa3d05.tar.gz
multi-select-51e632801eb0a6096ef280096ae39c95a6aa3d05.tar.bz2
1 files changed, 5 insertions, 1 deletions
diff --git a/js/jquery.multi-select.js b/js/jquery.multi-select.js
index b705a27..be3faa2 100644
--- a/js/jquery.multi-select.js
+++ b/js/jquery.multi-select.js
@@ -108,7 +108,7 @@
           attributes += attr.name+'="'+attr.value+'" ';
         }
       }
-      var selectableLi = $('<li '+attributes+'><span>'+$option.text()+'</span></li>'),
+      var selectableLi = $('<li '+attributes+'><span>'+that.escapeHTML($option.text())+'</span></li>'),
           selectedLi = selectableLi.clone(),
           value = $option.val(),
           elementId = that.sanitize(value);
@@ -187,6 +187,10 @@
       })
     },
 
+    'escapeHtml' : function(text){
+      return $("<div>").text(text).html();
+    },
+
     'activeKeyboard' : function($list){
       var that = this;
author	Lou <louiscuny@gmail.com>	2014-01-28 14:44:26 +0100
committer	Lou <louiscuny@gmail.com>	2014-01-28 14:44:47 +0100
commit	51e632801eb0a6096ef280096ae39c95a6aa3d05 (patch)
tree	fc1b9f223827bc6f39b609009bc529d78b1f4452 /js
parent	65f9282a981fd4be371ee83580298c071a862c70 (diff)
download	multi-select-51e632801eb0a6096ef280096ae39c95a6aa3d05.zip multi-select-51e632801eb0a6096ef280096ae39c95a6aa3d05.tar.gz multi-select-51e632801eb0a6096ef280096ae39c95a6aa3d05.tar.bz2