Autocomplete demo: Combobox: Encode search term inside tooltips. Fixes #8859 - Autocomplete: XSS in combobox demo.

scottgonzalez · scottgonzalez · commit 5fee6fd50000 · 2012-11-27T10:52:40.000-05:00
diff --git a/demos/autocomplete/combobox.html b/demos/autocomplete/combobox.html
@@ -61,7 +61,7 @@
 						// remove invalid value, as it didn't match anything
 						$( element )
 							.val( "" )
-							.attr( "title", value + " didn't match any item" )
+							.attr( "title", $( "<a>" ).text( value ).html() + " didn't match any item" )
 							.tooltip( "open" );
 						select.val( "" );
 						setTimeout(function() {
