Commit e461f402 authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review

Merge "Bug 1719472: Escape user's display_name() when supplying to autocomplete" into 16.10_STABLE

parents 09156ce6 fa531905
......@@ -46,10 +46,11 @@ while ($more && count($tmpuser) < $usersperpage) {
($USER->id == $user['id'])) {
continue;
}
$tmpuser[] = (object) array('id' => $user['id'],
$tmpuser[] = (object) array(
'id' => $user['id'],
'text' => '<img class="select2-user-icon" src="' . get_config('wwwroot') . 'thumb.php?type=profileicon&maxwidth=40&maxheight=40&id=' . $user['id'] . '" />' .
'<span>' . display_name($user['id']) . '</span>',
'name' => display_name($user['id'])
'<span>' . hsc(display_name($user['id'])) . '</span>',
'name' => hsc(display_name($user['id']))
);
}
$page++;
......
......@@ -195,7 +195,9 @@ $form = pieform(array(
'initfunction' => 'translate_ids_to_names',
'multiple' => true,
'extraparams' => array(
'escapeMarkup' => 'function (markup) { return markup; }', // let our custom formatter work
// Let our custom formatter work by avoiding escaping in Select2
// We will instead escape the markup on the PHP side first.
'escapeMarkup' => 'function (markup) { return markup; }',
'templateSelection' =>
'function (data) {
if (typeof data.name !== "undefined") {
......@@ -274,7 +276,7 @@ function translate_ids_to_names(array $ids) {
foreach ($ids as $id) {
$deleted = get_field('usr', 'deleted', 'id', $id);
if (($deleted === '0') && is_numeric($id) && can_send_message($USER->to_stdclass(), $id)) {
$results[] = (object) array('id' => $id, 'text' => display_name($id));
$results[] = (object) array('id' => $id, 'text' => hsc(display_name($id)));
}
}
return $results;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment