Permalink
Browse files

move the logic that sets the button text into its own method so that …

…it can be overridden, and use text() instead of html() by default to prevent XSS attacks. fixes #229
  • Loading branch information...
1 parent 35b98fb commit ed89b50d2adcf71f98fbfdd587d958d4c4eb34e3 @ehynds committed Oct 23, 2012
Showing with 10 additions and 3 deletions.
  1. +7 −1 src/jquery.multiselect.js
  2. +3 −2 tests/unit/options.js
@@ -228,11 +228,17 @@
}
}
- this.buttonlabel.html(value);
+ this._setButtonValue(value);
return value;
},
+ // this exists as a separate method so that the developer
+ // can easily override it.
+ _setButtonValue: function(value) {
+ this.buttonlabel.text(value);
+ },
+
// binds events
_bindEvents: function() {
var self = this;
@@ -120,12 +120,13 @@
});
test("selectedList - encoding", function() {
+ expect(1);
+
el = $('<select><option value="A&amp;E">A&amp;E</option></select>')
.appendTo("body")
.multiselect({ selectedList: 1 });
- equals(button().text(), 'A&E');
- equals(button().find("span").last().html(), 'A&amp;E');
+ equals(button().text(), 'A&amp;E');
el.multiselect("destroy").remove();
});

0 comments on commit ed89b50

Please sign in to comment.