Skip to content
This repository has been archived by the owner on Oct 2, 2019. It is now read-only.

Angular 1.7 breaks close button #2172

Open
dmudro opened this issue Dec 4, 2018 · 1 comment
Open

Angular 1.7 breaks close button #2172

dmudro opened this issue Dec 4, 2018 · 1 comment

Comments

@dmudro
Copy link

dmudro commented Dec 4, 2018

Bug description:

Angular 1.7 inserts unsafe: string in href attribute when it contains href="javascript:" . This breaks the close button in tags when using mutliple attribute in FF, Edge (and potentially other browsers).

Check out the close button href value in /src/select2/match-multiple.tpl.html:
<a href="javascript:;" class="ui-select-match-close select2-search-choice-close"...

The workaround is to whitelist javascript: in href globally:
https://anotherdevblog.com/2018/06/27/angularjs-adds-unsafe-before-links/

Link to minimally-working plunker that reproduces the issue:

http://plnkr.co/edit/czeDNT8blND3tz3mYkET?p=preview

Version of Angular, UI-Select, and Bootstrap/Select2/Selectize CSS

Angular: 1.7.0+
UI-Select: 0.19.8
@dmudro
Copy link
Author

dmudro commented Dec 5, 2018

There is a cleaner workaround without compromising security.

By forking the select2 templates and providing the path as custom theme in the config, the ng template engine will pick up fixed html:
uiSelectConfig.theme = 'path/to/fixed-ui-select-templates-without-javascript-in-href';

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmudro