search

angular-ui / ui-select

AngularJS-native version of Select2 and Selectize
MIT License
3.26k stars 1.82k forks source link

Angular 1.7 breaks close button #2172

Open dmudro opened 5 years ago

dmudro commented 5 years ago

Bug description:

Angular 1.7 inserts unsafe: string in href attribute when it contains href="javascript:". This breaks the close button in tags when using mutliple attribute in FF, Edge (and potentially other browsers).

Check out the close button href value in /src/select2/match-multiple.tpl.html: <a href="javascript:;" class="ui-select-match-close select2-search-choice-close"...

The workaround is to whitelist javascript: in href globally: https://anotherdevblog.com/2018/06/27/angularjs-adds-unsafe-before-links/

Link to minimally-working plunker that reproduces the issue:

http://plnkr.co/edit/czeDNT8blND3tz3mYkET?p=preview

Version of Angular, UI-Select, and Bootstrap/Select2/Selectize CSS

Angular: 1.7.0+ UI-Select: 0.19.8

dmudro commented 5 years ago

There is a cleaner workaround without compromising security.

By forking the select2 templates and providing the path as custom theme in the config, the ng template engine will pick up fixed html: uiSelectConfig.theme = 'path/to/fixed-ui-select-templates-without-javascript-in-href';