escape default text

koenpunt · koenpunt · commit 057f28598247 · 2016-10-12T01:41:08.000+02:00
fixes #2314
diff --git a/coffee/chosen.jquery.coffee b/coffee/chosen.jquery.coffee
@@ -406,7 +406,10 @@ class Chosen extends AbstractChosen
     @search_field.val()
 
   get_search_text: ->
-    $('<div/>').text($.trim(this.get_search_field_value())).html()
+    this.escape_html $.trim(this.get_search_field_value())
+
+  escape_html: (text) ->
+    $('<div/>').text(text).html()
 
   winnow_results_set_highlight: ->
     selected_results = if not @is_multiple then @search_results.find(".result-selected.active-result") else []
diff --git a/coffee/chosen.proto.coffee b/coffee/chosen.proto.coffee
@@ -396,7 +396,10 @@ class @Chosen extends AbstractChosen
     @search_field.value
 
   get_search_text: ->
-    this.get_search_field_value().strip().escapeHTML()
+    this.escape_html this.get_search_field_value().strip()
+
+  escape_html: (text) ->
+    text.escapeHTML()
 
   winnow_results_set_highlight: ->
     if not @is_multiple
diff --git a/coffee/lib/abstract-chosen.coffee b/coffee/lib/abstract-chosen.coffee
@@ -45,6 +45,8 @@ class AbstractChosen
     else
       @default_text = @options.placeholder_text_single || @options.placeholder_text || AbstractChosen.default_single_text
 
+    @default_text = this.escape_html(@default_text)
+
     @results_none_found = @form_field.getAttribute("data-no_results_text") || @options.no_results_text || AbstractChosen.default_no_result_text
 
   choice_label: (item) ->
