From aebb5ad4b48b2057d25a74eeae067e7dbed8473e Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Tue, 20 Jan 2015 01:33:49 +0100
Subject: [PATCH] Added html escaping.

---
 app/assets/javascripts/app/lib/base/jquery.textmodule.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/app/lib/base/jquery.textmodule.js b/app/assets/javascripts/app/lib/base/jquery.textmodule.js
index f550cab41..613b79271 100644
--- a/app/assets/javascripts/app/lib/base/jquery.textmodule.js
+++ b/app/assets/javascripts/app/lib/base/jquery.textmodule.js
@@ -351,9 +351,9 @@
     console.log('result', term, result)
     for (var i = 0; i < result.length; i++) {
       var item = result[i]
-      var template = "<li><a href=\"#\" class=\"u-textTruncate\" data-id=" + item.id + ">" + item.name
+      var template = "<li><a href=\"#\" class=\"u-textTruncate\" data-id=" + item.id + ">" + App.Utils.htmlEscape(item.name)
       if (item.keywords) {
-        template = template + " (" + item.keywords + ")"
+        template = template + " (" + App.Utils.htmlEscape(item.keywords) + ")"
       }
       template = template + "</a></li>"
       this.$widget.find('ul').append(template)