New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"&" instead of "&" in displayed result. #163

Closed
vindolin opened this Issue Mar 10, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@vindolin

vindolin commented Mar 10, 2016

Whenever I have an ampersand in my search string, it leads to all the special chars getting converted and displayed as "&", ">" etc.
Any ideas what I'm doing wrong?

Good:
typeahead_good

Bad:
typeahead_bad

Here's my code and JSON source:
https://gist.github.com/vindolin/68b7d97bf1f9dab0caa3

@running-coder

This comment has been minimized.

Owner

running-coder commented Mar 10, 2016

Hey Vindolin, this issue is caused by #134, I'll have a look shortly on how we can resolve this.

Thanks for pointing it out

@running-coder running-coder added the Bug label Mar 10, 2016

@running-coder running-coder added this to the 2.4.0 milestone Mar 10, 2016

@running-coder

This comment has been minimized.

Owner

running-coder commented Mar 10, 2016

the sanitize function was introduced to prevent from XSS in case you are pulling data from an untrusted source. While waiting for a fix in 2.4 you can simply comment both sanitize calls @L1646 & 1660 when building the template

This task might take a bit longer than a quick fix.

{
  "data": [
    {
      "id": "1",
      // sanitize prevents any script / unwanted code from executing
      "display": "Technik & Unterhaltung <script>alert('test')</script> "
    },
    {
      "id": "1.1",
      "display": "Technik & Unterhaltung > B\u00fccher"
    },
    {
      "id": "1.1.1",
      "display": "Technik & Unterhaltung > B\u00fccher > Belletristik"
    }
}

@running-coder running-coder modified the milestones: 2.5.0, 2.4.0, 2.4.1 Mar 26, 2016

@running-coder

This comment has been minimized.

Owner

running-coder commented Mar 29, 2016

Should be good now on the develop branch, let me know

@running-coder running-coder modified the milestones: 2.5.0, 2.4.1 Apr 3, 2016

running-coder added a commit that referenced this issue Apr 5, 2016

Version 2.5.0
*Breaking Changes*
- Typeahead HTML template
- Group option
- DropdownFilter option

Features:
- #175 Provide a default `loading` state and animation
- #174 Add standard cancel button` option instead of browser's implementation
- #173 Variables for Typeahead SCSS file, it is now more easy to generate your own theme!
- #172 Typeahead using BEM standards
- #70 Populate `dropdownFilter` based on an item.key (self discovering groups) for static data

Fixes:
- #163 "&amp;" instead of "&" in displayed result

Notes:
- Removed caret option, it is now CSS only
- SVG data uri images

running-coder pushed a commit that referenced this issue Apr 6, 2016

tom bertrand
* Version 2.5.0
*Breaking Changes*

Update the following Typeahead configurations
- Typeahead HTML template
- Group option
- DropdownFilter option

Features:
- #175 Provide a default `loading` state and animation
- #174 Add standard cancel button` option instead of browser's implementation
- #173 Variables for Typeahead SCSS file, it is now more easy to generate your own theme!
- #172 Typeahead using BEM standards
- #70 Populate `dropdownFilter` based on an item.key (self discovering groups) for static data

Fixes:
- #163 "&amp;" instead of "&" in displayed result

Notes:
- Removed caret option, it is now CSS only
- SVG data uri images
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment