Open dmudro opened 5 years ago
There is a cleaner workaround without compromising security.
By forking the select2 templates and providing the path as custom theme in the config, the ng template engine will pick up fixed html:
uiSelectConfig.theme = 'path/to/fixed-ui-select-templates-without-javascript-in-href';
Bug description:
Angular 1.7 inserts
unsafe:
string in href attribute when it containshref="javascript:"
. This breaks the close button in tags when usingmutliple
attribute in FF, Edge (and potentially other browsers).Check out the close button href value in
/src/select2/match-multiple.tpl.html
:<a href="javascript:;" class="ui-select-match-close select2-search-choice-close"...
The workaround is to whitelist javascript: in href globally: https://anotherdevblog.com/2018/06/27/angularjs-adds-unsafe-before-links/
Link to minimally-working plunker that reproduces the issue:
http://plnkr.co/edit/czeDNT8blND3tz3mYkET?p=preview
Version of Angular, UI-Select, and Bootstrap/Select2/Selectize CSS
Angular: 1.7.0+ UI-Select: 0.19.8