Use a patched version of awesomplete...

which doesn't render suggestions as HTML. See https://github.com/LeaVerou/awesomplete/pull/17082

Use a patched version of awesomplete...
which doesn't render suggestions as HTML. See https://github.com/LeaVerou/awesomplete/pull/17082
647395a5 · JC Brand · c4222376 · 647395a5 · 647395a5 · 647395a5
Commit 647395a5 authored Jul 12, 2017 by JC Brand
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

CHANGES.md CHANGES.md +8 -1

package.json package.json +1 -1

src/config.js src/config.js +1 -1

No files found.
--- a/CHANGES.md
+++ b/CHANGES.md
 # Changelog

-## 3.1.0 ((2017-07-05))
+## 3.1.1 (Unreleased)
+
+- Use a patched version of [awesomplete](https://github.com/LeaVerou/awesomplete)
+  which doesn't render suggestions as HTML (possible XSS attack vector). [jcbrand]
+
+More info here: https://github.com/LeaVerou/awesomplete/pull/17082
+
+## 3.1.0 (2017-07-05)

 ### API changes
 - Deprecate the `updateSettings` method in favour of

--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
  },
  "devDependencies": {
    "almond": "~0.3.3",
-    "awesomplete": "^1.1.1",
+    "awesomplete-avoid-xss": "^1.1.2",
    "backbone": "1.3.3",
    "backbone.browserStorage": "0.0.3",
    "backbone.overview": "0.0.3",

--- a/src/config.js
+++ b/src/config.js
@@ -16,7 +16,7 @@ require.config({
    baseUrl: '.',
    paths: {
        "almond":                   "node_modules/almond/almond",
-        "awesomplete":              "node_modules/awesomplete/awesomplete",
+        "awesomplete":              "node_modules/awesomplete-avoid-xss/awesomplete",
        "backbone":                 "node_modules/backbone/backbone",
        "backbone.noconflict":      "src/backbone.noconflict",
        "backbone.browserStorage":  "node_modules/backbone.browserStorage/backbone.browserStorage",