From 5848d9a10c7d62c73ff6a3858edfae96a429402a Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 18 Mar 2019 19:29:30 -0700
Subject: [PATCH] Janky fix for Select2 bug

---
 resources/assets/js/snipeit.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/resources/assets/js/snipeit.js b/resources/assets/js/snipeit.js
index 4e3cb24b4ab5..e2e1dde39cc8 100755
--- a/resources/assets/js/snipeit.js
+++ b/resources/assets/js/snipeit.js
@@ -260,7 +260,18 @@ $(document).ready(function () {
     }
 
     function formatDataSelection (datalist) {
-        return datalist.text;
+        // This a heinous workaround for a known bug in Select2.
+        // Without this, the rich selectlists are vulnerable to XSS.
+        // Many thanks to @uberbrady for this fix. It ain't pretty,
+        // but it resolves the issue until Select2 addresses it on their end.
+        //
+        // Bug was reported in 2016 :{
+        // https://github.com/select2/select2/issues/4587
+
+        return datalist.text.replace(/>/g, '&gt;')
+            .replace(/</g, '&lt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#039;');
     }
 
     // This handles the radio button selectors for the checkout-to-foo options