From aed8ba82bd889b9b55f25cc6d06f43142f3eeb1c Mon Sep 17 00:00:00 2001
From: Matthew Beale <matt.beale@madhatted.com>
Date: Wed, 27 Jul 2011 12:24:30 -0400
Subject: [PATCH] Update jQuery version for escaping

---
 chosen/chosen.jquery.js     | 21 +++++++++++----------
 coffee/chosen.jquery.coffee | 21 +++++++++++----------
 example.jquery.html         |  1 +
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/chosen/chosen.jquery.js b/chosen/chosen.jquery.js
index ac8275a..e13eabc 100644
--- a/chosen/chosen.jquery.js
+++ b/chosen/chosen.jquery.js
@@ -256,7 +256,7 @@
         if (option.group_array_index != null) {
           classes.push("group-option");
         }
-        return '<li id="' + option.dom_id + '" class="' + classes.join(' ') + '">' + $("<div />").text(option.text).html() + '</li>';
+        return '<li id="' + option.dom_id + '" class="' + classes.join(' ') + '">' + option.html + '</li>';
       } else {
         return "";
       }
@@ -377,7 +377,7 @@
       var choice_id, link;
       choice_id = this.container_id + "_c_" + item.array_index;
       this.choices += 1;
-      this.search_container.before('<li class="search-choice" id="' + choice_id + '"><span>' + item.text + '</span><a href="javascript:void(0)" class="search-choice-close" rel="' + item.array_index + '"></a></li>');
+      this.search_container.before('<li class="search-choice" id="' + choice_id + '"><span>' + item.html + '</span><a href="javascript:void(0)" class="search-choice-close" rel="' + item.array_index + '"></a></li>');
       link = $('#' + choice_id).find("a").first();
       return link.click(__bind(function(evt) {
         return this.choice_destroy_link_click(evt);
@@ -454,7 +454,7 @@
       startTime = new Date();
       this.no_results_clear();
       results = 0;
-      searchText = this.search_field.val() === this.default_text ? "" : $.trim(this.search_field.val());
+      searchText = this.search_field.val() === this.default_text ? "" : $('<div/>').text($.trim(this.search_field.val())).html();
       regex = new RegExp('^' + searchText.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"), 'i');
       zregex = new RegExp(searchText.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"), 'i');
       _ref = this.results_data;
@@ -466,11 +466,11 @@
           } else if (!(this.is_multiple && option.selected)) {
             found = false;
             result_id = option.dom_id;
-            if (regex.test(option.text)) {
+            if (regex.test(option.html)) {
               found = true;
               results += 1;
-            } else if (option.text.indexOf(" ") >= 0 || option.text.indexOf("[") === 0) {
-              parts = option.text.replace(/\[|\]/g, "").split(" ");
+            } else if (option.html.indexOf(" ") >= 0 || option.html.indexOf("[") === 0) {
+              parts = option.html.replace(/\[|\]/g, "").split(" ");
               if (parts.length) {
                 for (_j = 0, _len2 = parts.length; _j < _len2; _j++) {
                   part = parts[_j];
@@ -483,11 +483,11 @@
             }
             if (found) {
               if (searchText.length) {
-                startpos = option.text.search(zregex);
-                text = option.text.substr(0, startpos + searchText.length) + '</em>' + option.text.substr(startpos + searchText.length);
+                startpos = option.html.search(zregex);
+                text = option.html.substr(0, startpos + searchText.length) + '</em>' + option.html.substr(startpos + searchText.length);
                 text = text.substr(0, startpos) + '<em>' + text.substr(startpos);
               } else {
-                text = option.text;
+                text = option.html;
               }
               if ($("#" + result_id).html !== text) {
                 $("#" + result_id).html(text);
@@ -535,7 +535,7 @@
     Chosen.prototype.no_results = function(terms) {
       var no_results_html;
       no_results_html = $('<li class="no-results">No results match "<span></span>"</li>');
-      no_results_html.find("span").first().text(terms);
+      no_results_html.find("span").first().html(terms);
       return this.search_results.append(no_results_html);
     };
     Chosen.prototype.no_results_clear = function() {
@@ -746,6 +746,7 @@
             options_index: this.options_index,
             value: option.value,
             text: option.text,
+            html: option.innerHTML,
             selected: option.selected,
             disabled: group_disabled === true ? group_disabled : option.disabled,
             group_array_index: group_position
diff --git a/coffee/chosen.jquery.coffee b/coffee/chosen.jquery.coffee
index 460cbc0..3369e8a 100644
--- a/coffee/chosen.jquery.coffee
+++ b/coffee/chosen.jquery.coffee
@@ -220,7 +220,7 @@ class Chosen
       classes.push "result-selected" if option.selected
       classes.push "group-option" if option.group_array_index?
       
-      '<li id="' + option.dom_id + '" class="' + classes.join(' ') + '">' + $("<div />").text(option.text).html() + '</li>'
+      '<li id="' + option.dom_id + '" class="' + classes.join(' ') + '">' + option.html + '</li>'
     else
       ""
 
@@ -321,7 +321,7 @@ class Chosen
   choice_build: (item) ->
     choice_id = @container_id + "_c_" + item.array_index
     @choices += 1
-    @search_container.before  '<li class="search-choice" id="' + choice_id + '"><span>' + item.text + '</span><a href="javascript:void(0)" class="search-choice-close" rel="' + item.array_index + '"></a></li>'
+    @search_container.before  '<li class="search-choice" id="' + choice_id + '"><span>' + item.html + '</span><a href="javascript:void(0)" class="search-choice-close" rel="' + item.array_index + '"></a></li>'
     link = $('#' + choice_id).find("a").first()
     link.click (evt) => this.choice_destroy_link_click(evt)
 
@@ -402,7 +402,7 @@ class Chosen
     
     results = 0
 
-    searchText = if @search_field.val() is @default_text then "" else $.trim @search_field.val()
+    searchText = if @search_field.val() is @default_text then "" else $('<div/>').text($.trim(@search_field.val())).html()
     regex = new RegExp('^' + searchText.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"), 'i')
     zregex = new RegExp(searchText.replace(/[-[\]{}()*+?.,\\^$|#\s]/g, "\\$&"), 'i')
 
@@ -414,12 +414,12 @@ class Chosen
           found = false
           result_id = option.dom_id
           
-          if regex.test option.text
+          if regex.test option.html
             found = true
             results += 1
-          else if option.text.indexOf(" ") >= 0 or option.text.indexOf("[") == 0
+          else if option.html.indexOf(" ") >= 0 or option.html.indexOf("[") == 0
             #TODO: replace this substitution of /\[\]/ with a list of characters to skip.
-            parts = option.text.replace(/\[|\]/g, "").split(" ")
+            parts = option.html.replace(/\[|\]/g, "").split(" ")
             if parts.length
               for part in parts
                 if regex.test part
@@ -428,11 +428,11 @@ class Chosen
 
           if found
             if searchText.length
-              startpos = option.text.search zregex
-              text = option.text.substr(0, startpos + searchText.length) + '</em>' + option.text.substr(startpos + searchText.length)
+              startpos = option.html.search zregex
+              text = option.html.substr(0, startpos + searchText.length) + '</em>' + option.html.substr(startpos + searchText.length)
               text = text.substr(0, startpos) + '<em>' + text.substr(startpos)
             else
-              text = option.text
+              text = option.html
 
             $("#" + result_id).html text if $("#" + result_id).html != text
 
@@ -467,7 +467,7 @@ class Chosen
   
   no_results: (terms) ->
     no_results_html = $('<li class="no-results">No results match "<span></span>"</li>')
-    no_results_html.find("span").first().text(terms)
+    no_results_html.find("span").first().html(terms)
 
     @search_results.append no_results_html
   
@@ -632,6 +632,7 @@ class SelectParser
           options_index: @options_index
           value: option.value
           text: option.text
+          html: option.innerHTML
           selected: option.selected
           disabled: if group_disabled is true then group_disabled else option.disabled
           group_array_index: group_position
diff --git a/example.jquery.html b/example.jquery.html
index 8117d61..9b7dfed 100644
--- a/example.jquery.html
+++ b/example.jquery.html
@@ -809,6 +809,7 @@
         <em>Into This</em>        
         <select title="Choose a Country..." class="chzn-select" multiple style="width:350px;" tabindex="4">
           <option value=""></option> 
+          <option value="hacked">Hackaroo &lt;script&gt;alert('hack');&lt;/script&gt;</option> 
           <option value="United States">United States</option> 
           <option value="United Kingdom">United Kingdom</option> 
           <option value="Afghanistan">Afghanistan</option>