ui-select Angular 1.7 breaks close button

Angular 1.7 breaks close button

Open dmudro opened this issue 6 years ago • 1 comments

trafficstars

Bug description:

Angular 1.7 inserts unsafe: string in href attribute when it contains href="javascript:" . This breaks the close button in tags when using mutliple attribute in FF, Edge (and potentially other browsers).

Check out the close button href value in /src/select2/match-multiple.tpl.html: <a href="javascript:;" class="ui-select-match-close select2-search-choice-close"...

The workaround is to whitelist javascript: in href globally: https://anotherdevblog.com/2018/06/27/angularjs-adds-unsafe-before-links/

Link to minimally-working plunker that reproduces the issue:

http://plnkr.co/edit/czeDNT8blND3tz3mYkET?p=preview

Version of Angular, UI-Select, and Bootstrap/Select2/Selectize CSS

Angular: 1.7.0+ UI-Select: 0.19.8

Dec 04 '18 21:12 dmudro

There is a cleaner workaround without compromising security.

By forking the select2 templates and providing the path as custom theme in the config, the ng template engine will pick up fixed html: uiSelectConfig.theme = 'path/to/fixed-ui-select-templates-without-javascript-in-href';

Dec 05 '18 21:12 dmudro

ui-select ui-select copied to clipboard

Angular 1.7 breaks close button

Bug description:

Link to minimally-working plunker that reproduces the issue:

Version of Angular, UI-Select, and Bootstrap/Select2/Selectize CSS

ui-select
ui-select copied to clipboard