Updated Branches: refs/heads/master 397ed489f -> 8bcfc1132
WICKET-4691 Unescaped html in autocomplete Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/8bcfc113 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/8bcfc113 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/8bcfc113 Branch: refs/heads/master Commit: 8bcfc11324293d750861f93789cd6797ab874aac Parents: 397ed48 Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Thu Aug 2 15:44:15 2012 +0300 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Thu Aug 2 15:44:15 2012 +0300 ---------------------------------------------------------------------- .../autocomplete/AbstractAutoCompleteRenderer.java | 2 ++ .../AbstractAutoCompleteTextRenderer.java | 5 ++++- .../html/autocomplete/wicket-autocomplete.js | 10 +++------- 3 files changed, 9 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/8bcfc113/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java ---------------------------------------------------------------------- diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java index e9e524c..dc7dfde 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java @@ -17,6 +17,7 @@ package org.apache.wicket.extensions.ajax.markup.html.autocomplete; import org.apache.wicket.request.Response; +import org.apache.wicket.util.string.Strings; /** * A renderer that abstracts autoassist specific details and allows subclasses to only render the @@ -44,6 +45,7 @@ public abstract class AbstractAutoCompleteRenderer<T> implements IAutoCompleteRe object.toString()); } textValue = textValue.replaceAll("\\\"", """); + textValue = Strings.escapeMarkup(textValue).toString(); response.write("<li textvalue=\"" + textValue + "\""); final CharSequence handler = getOnSelectJavaScriptExpression(object); http://git-wip-us.apache.org/repos/asf/wicket/blob/8bcfc113/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java ---------------------------------------------------------------------- diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java index 9644689..da59e04 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java @@ -17,6 +17,7 @@ package org.apache.wicket.extensions.ajax.markup.html.autocomplete; import org.apache.wicket.request.Response; +import org.apache.wicket.util.string.Strings; /** * Base for text renderers that simply want to show a string @@ -33,6 +34,8 @@ public abstract class AbstractAutoCompleteTextRenderer<T> extends AbstractAutoCo @Override protected void renderChoice(final T object, final Response response, final String criteria) { - response.write(getTextValue(object)); + String textValue = getTextValue(object); + textValue = Strings.escapeMarkup(textValue).toString(); + response.write(textValue); } } http://git-wip-us.apache.org/repos/asf/wicket/blob/8bcfc113/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js ---------------------------------------------------------------------- diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js index a2e73c5..ac37d51 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js @@ -657,7 +657,7 @@ var mouseOverFunc = function(event) { setSelected(getElementIndex(this)); - render(false, false); // don't scroll - breaks mouse weel scrolling + render(false, false); // don't scroll - breaks mouse wheel scrolling showAutoComplete(); }; for(var i = 0;i < elementCount; i++) { @@ -681,7 +681,7 @@ } else { value=attr.value; } - if (stripHTML(value) === input.value) + if (value === input.value) { selectedIndex = ec; break; @@ -728,7 +728,7 @@ } else { value=attr.value; } - return stripHTML(value); + return value; } function getElementIndex(element) { @@ -742,10 +742,6 @@ return -1; } - function stripHTML(str) { - return str.replace(/<[^>]+>/g,""); - } - function adjustScrollOffset(menu, item) { // this should consider margins/paddings; now it is not exact if (item.offsetTop + item.offsetHeight > menu.scrollTop + menu.offsetHeight) { menu.scrollTop = item.offsetTop + item.offsetHeight - menu.offsetHeight;
