// remove invalid value, as it didn't match anything
$( element )
.val( "" )
- .attr( "title", $( "<a>" ).text( value ).html() + " didn't match any item" )
+ .attr( "title", value + " didn't match any item" )
.tooltip( "open" );
select.val( "" );
setTimeout(function() {
deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), "anchortitle" );
});
+test( "content: default; HTML escaping", function() {
+ expect( 2 );
+ var scriptText = "<script>$.ui.tooltip.hacked = true;</script>",
+ element = $( "#tooltipped1" );
+
+ $.ui.tooltip.hacked = false;
+ element.attr( "title", scriptText )
+ .tooltip()
+ .tooltip( "open" );
+ equal( $.ui.tooltip.hacked, false, "script did not execute" );
+ deepEqual( $( "#" + element.data( "ui-tooltip-id" ) ).text(), scriptText,
+ "correct tooltip text" );
+});
+
test( "content: return string", function() {
expect( 1 );
var element = $( "#tooltipped1" ).tooltip({
version: "@VERSION",
options: {
content: function() {
- return $( this ).attr( "title" );
+ var title = $( this ).attr( "title" );
+ // Escape title, since we're going from an attribute to raw HTML
+ return $( "<a>" ).text( title ).html();
},
hide: true,
// Disabled elements have inconsistent behavior across browsers (#8661)
projects / jquery-ui.git / commitdiff