Skip to content

Commit 19806d4

Browse files
lubber-delubber-de
authored
fix(dropdown): multiselect values encoding, removing label
When a multiple dropdown (non select) was used and selected data has characters like & or ' set, there were stored entity encoded (returning into false positives when comparing later to their original values). Even worse this was only done for all previous selected values, the current to be added value was kept raw already. dropdowns using select tags do not store the selected data in an input field, so the issue does not happen there. Original data should be kept, as it is already the case for dropdown made out of select tags. Also SUI does not do this. Additionally this PR fixes a situation when a value has double quotes which led to a js error when trying to remove that label . Double quotes in select menus are now also kept encoded instead of being removed to have the same behavior for select/non select dropdowns Double quotes are always encoded (when text needs to be kept) or removed (everywhere else where they dont make sense like classnames) for security reasons, because all internal templates use them for HTML generation
1 parent 2093c46 commit 19806d4

File tree

1 file changed

+11
-10
lines changed

1 file changed

+11
-10
lines changed

src/definitions/modules/dropdown.js

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1930,7 +1930,7 @@ $.fn.dropdown = function(parameters) {
19301930
: value
19311931
;
19321932
},
1933-
values: function() {
1933+
values: function(raw) {
19341934
var
19351935
value = module.get.value()
19361936
;
@@ -1939,7 +1939,7 @@ $.fn.dropdown = function(parameters) {
19391939
}
19401940
return ( !module.has.selectInput() && module.is.multiple() )
19411941
? (typeof value == 'string') // delimited string
1942-
? module.escape.htmlEntities(value).split(settings.delimiter)
1942+
? (raw ? value : module.escape.htmlEntities(value)).split(settings.delimiter)
19431943
: ''
19441944
: value
19451945
;
@@ -2970,7 +2970,7 @@ $.fn.dropdown = function(parameters) {
29702970
},
29712971
value: function(addedValue, addedText, $selectedItem) {
29722972
var
2973-
currentValue = module.get.values(),
2973+
currentValue = module.get.values(true),
29742974
newValue
29752975
;
29762976
if(module.has.value(addedValue)) {
@@ -3179,8 +3179,9 @@ $.fn.dropdown = function(parameters) {
31793179
},
31803180
label: function(value, shouldAnimate) {
31813181
var
3182+
escapedValue = module.escape.value(value),
31823183
$labels = $module.find(selector.label),
3183-
$removedLabel = $labels.filter('[data-' + metadata.value + '="' + module.escape.string(settings.ignoreCase ? value.toLowerCase() : value) +'"]')
3184+
$removedLabel = $labels.filter('[data-' + metadata.value + '="' + module.escape.string(settings.ignoreCase ? escapedValue.toLowerCase() : escapedValue) +'"]')
31843185
;
31853186
module.verbose('Removing label', $removedLabel);
31863187
$removedLabel.remove();
@@ -3329,7 +3330,7 @@ $.fn.dropdown = function(parameters) {
33293330
},
33303331
valueMatchingCase: function(value) {
33313332
var
3332-
values = module.get.values(),
3333+
values = module.get.values(true),
33333334
hasValue = Array.isArray(values)
33343335
? values && ($.inArray(value, values) !== -1)
33353336
: (values == value)
@@ -3341,7 +3342,7 @@ $.fn.dropdown = function(parameters) {
33413342
},
33423343
valueIgnoringCase: function(value) {
33433344
var
3344-
values = module.get.values(),
3345+
values = module.get.values(true),
33453346
hasValue = false
33463347
;
33473348
if(!Array.isArray(values)) {
@@ -4166,8 +4167,8 @@ $.fn.dropdown.settings = {
41664167

41674168
/* Templates */
41684169
$.fn.dropdown.settings.templates = {
4169-
deQuote: function(string) {
4170-
return String(string).replace(/"/g,"");
4170+
deQuote: function(string, encode) {
4171+
return String(string).replace(/"/g,encode ? """ : "");
41714172
},
41724173
escape: function(string, preserveHTML) {
41734174
if (preserveHTML){
@@ -4231,13 +4232,13 @@ $.fn.dropdown.settings.templates = {
42314232
if( itemType === 'item' ) {
42324233
var
42334234
maybeText = (option[fields.text])
4234-
? ' data-text="' + deQuote(option[fields.text]) + '"'
4235+
? ' data-text="' + deQuote(option[fields.text],true) + '"'
42354236
: '',
42364237
maybeDisabled = (option[fields.disabled])
42374238
? className.disabled+' '
42384239
: ''
42394240
;
4240-
html += '<div class="'+ maybeDisabled + (option[fields.class] ? deQuote(option[fields.class]) : className.item)+'" data-value="' + deQuote(option[fields.value]) + '"' + maybeText + '>';
4241+
html += '<div class="'+ maybeDisabled + (option[fields.class] ? deQuote(option[fields.class]) : className.item)+'" data-value="' + deQuote(option[fields.value],true) + '"' + maybeText + '>';
42414242
if(option[fields.image]) {
42424243
html += '<img class="'+(option[fields.imageClass] ? deQuote(option[fields.imageClass]) : className.image)+'" src="' + deQuote(option[fields.image]) + '">';
42434244
}

0 commit comments

Comments
 (0)