From f595298be445c83e06c5255ce5265d2b89a336b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20=C5=9Eamil?= <msbuyukcaglayan@gmail.com>
Date: Tue, 1 Jan 2019 18:46:17 +0300
Subject: [PATCH] Avoid from Html injection

I added a function that encoding the html tags to avoid html injection.
---
 src/core.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/core.js b/src/core.js
index 4203dfa..cc2a172 100644
--- a/src/core.js
+++ b/src/core.js
@@ -298,7 +298,7 @@ var EasyAutocomplete = (function(scope) {
 											.mouseout(function() {
 												config.get("list").onMouseOutEvent();
 											})
-											.html(template.build(highlight(elementsValue, phrase), listData[j]));
+											.html(template.build(highlight(htmlEntities(elementsValue), phrase), listData[j]));
 									})();
 
 									$listContainer.append($item);
@@ -316,6 +316,10 @@ var EasyAutocomplete = (function(scope) {
 
 				$field.after($elements_container);
 			}
+			
+			function htmlEntities(str) {
+  				return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+			}
 
 			function removeContainer() {
 				$field.next("." + consts.getValue("CONTAINER_CLASS")).remove();