Fix XSS issue in suggestion template.

[considerate]

This pull request solves #964.

[bmchrist]

+1
Using something along these lines make make for a bit more clear/standard of code:

function escapeHTML( string )
{
var el = document.createElement('p');
document.appendChild(document.createTextNode(string));
return el.innerHTML;
}

[jskvara]

+1

[bitcity]

+1. Though I prefer the approach of underscore.js. They escape a limited set which includes quotes & backtick too.

Copied from https://github.com/jashkenas/underscore/blob/master/underscore.js

// List of HTML entities for escaping.
var escapeMap = {
  '&': '&',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#x27;',
  '`': '&#x60;'
};

// Functions for escaping and unescaping strings to/from HTML interpolation.
var createEscaper = function(map) {
  var escaper = function(match) {
    return map[match];
  };
  // Regexes for identifying a key that needs to be escaped
  var source = '(?:' + _.keys(map).join('|') + ')';
  var testRegexp = RegExp(source);
  var replaceRegexp = RegExp(source, 'g');
  return function(string) {
    string = string == null ? '' : '' + string;
    return testRegexp.test(string) ? string.replace(replaceRegexp, escaper) : string;
  };
};

_.escape = createEscaper(escapeMap);

[epidemian]

👍

Another approach, instead of manually escaping the characters, could be to use jQuery to generate the HTML:

function suggestionTemplate(context) {
    return $("<p>").text(displayFn(context))[0].outerHTML;
}

Or, as the result of the template function is only used to feed $.fn.append, it could return the jQuery object directly:

function suggestionTemplate(context) {
    return $("<p>").text(displayFn(context))
}

[jharding]

Updated to work with v0.11 in #1182. Thanks for the PR.