Escape optgroup label when appending to HTML.

adunkman · adunkman · commit 42d9c88e0498 · 2017-09-05T15:44:56.000-04:00
diff --git a/coffee/lib/abstract-chosen.coffee b/coffee/lib/abstract-chosen.coffee
@@ -131,7 +131,7 @@ class AbstractChosen
 
     group_el = document.createElement("li")
     group_el.className = classes.join(" ")
-    group_el.innerHTML = group.highlighted_html or group.label
+    group_el.innerHTML = group.highlighted_html or this.escape_html(group.label)
     group_el.title = group.title if group.title
 
     this.outerHTML(group_el)
diff --git a/spec/jquery/searching.spec.coffee b/spec/jquery/searching.spec.coffee
@@ -47,7 +47,22 @@ describe "Searching", ->
     expect(div.find(".active-result").length).toBe(1)
     expect(div.find(".active-result").first().html()).toBe("<em>A</em> &amp; B")
 
-  it "renders optgroups correctly when they contain characters that require HTML encoding", ->
+  it "renders optgroups correctly when they contain html encoded tags", ->
+    div = $("<div>").html("""
+      <select>
+        <optgroup label="A &lt;b&gt;hi&lt;/b&gt; B">
+          <option value="Item">Item</option>
+        </optgroup>
+      </select>
+    """)
+
+    div.find("select").chosen()
+    div.find(".chosen-container").trigger("mousedown") # open the drop
+
+    expect(div.find(".group-result").length).toBe(1)
+    expect(div.find(".group-result").first().html()).toBe("A &lt;b&gt;hi&lt;/b&gt; B")
+
+  it "renders optgroups correctly when they contain characters that require HTML encoding when searching", ->
     div = $("<div>").html("""
       <select>
         <optgroup label="A &amp; B">
diff --git a/spec/proto/searching.spec.coffee b/spec/proto/searching.spec.coffee
@@ -51,6 +51,22 @@ describe "Searching", ->
     expect(div.down(".active-result").innerHTML).toBe("<em>A</em> &amp; B")
 
   it "renders optgroups correctly when they contain characters that require HTML encoding", ->
+    div = new Element("div")
+    div.update("""
+      <select>
+        <optgroup label="A &lt;b&gt;hi&lt;/b&gt; B">
+          <option value="Item">Item</option>
+        </optgroup>
+      </select>
+    """)
+
+    new Chosen(div.down("select"))
+    simulant.fire(div.down(".chosen-container"), "mousedown") # open the drop
+
+    expect(div.select(".group-result").length).toBe(1)
+    expect(div.down(".group-result").innerHTML).toBe("A &lt;b&gt;hi&lt;/b&gt; B")
+
+  it "renders optgroups correctly when they contain characters that require HTML encoding when searching", ->
     div = new Element("div")
     div.update("""
       <select>
