Updated Branches: refs/heads/wicket-1.5.x f0e2bf133 -> 59611932f
WICKET-4691 Unescaped html in autocomplete Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/59611932 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/59611932 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/59611932 Branch: refs/heads/wicket-1.5.x Commit: 59611932f9088ab2111093dcc21b3a61ca88ad26 Parents: f0e2bf1 Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Thu Aug 2 15:48:01 2012 +0300 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Thu Aug 2 15:48:01 2012 +0300 ---------------------------------------------------------------------- .../autocomplete/AbstractAutoCompleteRenderer.java | 2 ++ .../AbstractAutoCompleteTextRenderer.java | 5 ++++- .../html/autocomplete/wicket-autocomplete.js | 10 +++------- 3 files changed, 9 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/59611932/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java ---------------------------------------------------------------------- diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java index e0bb0f7..c6c15dd 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteRenderer.java @@ -17,6 +17,7 @@ package org.apache.wicket.extensions.ajax.markup.html.autocomplete; import org.apache.wicket.request.Response; +import org.apache.wicket.util.string.Strings; /** * A renderer that abstracts autoassist specific details and allows subclasses to only render the @@ -43,6 +44,7 @@ public abstract class AbstractAutoCompleteRenderer<T> implements IAutoCompleteRe object.toString()); } textValue = textValue.replaceAll("\\\"", """); + textValue = Strings.escapeMarkup(textValue).toString(); response.write("<li textvalue=\"" + textValue + "\""); final CharSequence handler = getOnSelectJavaScriptExpression(object); http://git-wip-us.apache.org/repos/asf/wicket/blob/59611932/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java ---------------------------------------------------------------------- diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java index 9644689..da59e04 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/AbstractAutoCompleteTextRenderer.java @@ -17,6 +17,7 @@ package org.apache.wicket.extensions.ajax.markup.html.autocomplete; import org.apache.wicket.request.Response; +import org.apache.wicket.util.string.Strings; /** * Base for text renderers that simply want to show a string @@ -33,6 +34,8 @@ public abstract class AbstractAutoCompleteTextRenderer<T> extends AbstractAutoCo @Override protected void renderChoice(final T object, final Response response, final String criteria) { - response.write(getTextValue(object)); + String textValue = getTextValue(object); + textValue = Strings.escapeMarkup(textValue).toString(); + response.write(textValue); } } http://git-wip-us.apache.org/repos/asf/wicket/blob/59611932/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js ---------------------------------------------------------------------- diff --git a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js index da28c13..d8e660d 100644 --- a/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js +++ b/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/autocomplete/wicket-autocomplete.js @@ -628,7 +628,7 @@ Wicket.AutoComplete=function(elementId, callbackUrl, cfg, indicatorId){ var mouseOverFunc = function(event) { setSelected(getElementIndex(this)); - render(false, false); // don't scroll - breaks mouse weel scrolling + render(false, false); // don't scroll - breaks mouse wheel scrolling showAutoComplete(); }; for(var i = 0;i < elementCount; i++) { @@ -652,7 +652,7 @@ Wicket.AutoComplete=function(elementId, callbackUrl, cfg, indicatorId){ } else { value=attr.value; } - if (stripHTML(value) == input.value) + if (value == input.value) { selectedIndex = i; break; @@ -700,7 +700,7 @@ Wicket.AutoComplete=function(elementId, callbackUrl, cfg, indicatorId){ } else { value=attr.value; } - return stripHTML(value); + return value; } function getElementIndex(element) { @@ -711,10 +711,6 @@ Wicket.AutoComplete=function(elementId, callbackUrl, cfg, indicatorId){ } return -1; } - - function stripHTML(str) { - return str.replace(/<[^>]+>/g,""); - } function adjustScrollOffset(menu, item) { // this should consider margins/paddings; now it is not exact if (item.offsetTop + item.offsetHeight > menu.scrollTop + menu.offsetHeight) {
