Merge PR #665

src/util.js

@@ -55,6 +55,9 @@ tagsInput.factory('tiUtil', function($timeout, $q) {
     };
 
     self.safeHighlight = function(str, value) {
+        str = self.encodeHTML(str);
+        value = self.encodeHTML(value);
+
         if (!value) {
             return str;
         }
@@ -63,9 +66,6 @@ tagsInput.factory('tiUtil', function($timeout, $q) {
             return str.replace(/([.?*+^$[\]\\(){}|-])/g, '\\$1');
         }
 
-        str = self.encodeHTML(str);
-        value = self.encodeHTML(value);
-
         var expression = new RegExp('&[^;]+;|' + escapeRegexChars(value), 'gi');
         return str.replace(expression, function(match) {
             return match.toLowerCase() === value.toLowerCase() ? '<em>' + match + '</em>' : match;
@@ -127,4 +127,4 @@ tagsInput.factory('tiUtil', function($timeout, $q) {
     };
 
     return self;
-});
+});

test/util.spec.js

@@ -226,12 +226,18 @@ describe('tiUtil factory', function() {
             expect(tiUtil.safeHighlight('abc', 'b')).toBe('a<em>b</em>c');
             expect(tiUtil.safeHighlight('aBc', 'b')).toBe('a<em>B</em>c');
             expect(tiUtil.safeHighlight('abc', 'B')).toBe('a<em>b</em>c');
+            expect(tiUtil.safeHighlight('abcB', 'B')).toBe('a<em>b</em>c<em>B</em>');
+            expect(tiUtil.safeHighlight('abc', '')).toBe('abc');
         });
 
         it('highlights HTML entities', function() {
             expect(tiUtil.safeHighlight('a&a', '&')).toBe('a<em>&amp;</em>a');
             expect(tiUtil.safeHighlight('a>a', '>')).toBe('a<em>&gt;</em>a');
             expect(tiUtil.safeHighlight('a<a', '<')).toBe('a<em>&lt;</em>a');
+            expect(tiUtil.safeHighlight('<script>alert("XSS")</script>', '<'))
+                .toBe('<em>&lt;</em>script&gt;alert("XSS")<em>&lt;</em>/script&gt;');
+            expect(tiUtil.safeHighlight('<script>alert("XSS")</script>', ''))
+                .toBe('&lt;script&gt;alert("XSS")&lt;/script&gt;');
         });
     });