You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Oct 2, 2019. It is now read-only.
Angular 1.7 inserts unsafe: string in href attribute when it contains href="javascript:" . This breaks the close button in tags when using mutliple attribute in FF, Edge (and potentially other browsers).
Check out the close button href value in /src/select2/match-multiple.tpl.html: <a href="javascript:;" class="ui-select-match-close select2-search-choice-close"...
Bug description:
Angular 1.7 inserts
unsafe:string in href attribute when it containshref="javascript:". This breaks the close button in tags when usingmutlipleattribute in FF, Edge (and potentially other browsers).Check out the close button href value in
/src/select2/match-multiple.tpl.html:<a href="javascript:;" class="ui-select-match-close select2-search-choice-close"...The workaround is to whitelist javascript: in href globally:
https://anotherdevblog.com/2018/06/27/angularjs-adds-unsafe-before-links/
Link to minimally-working plunker that reproduces the issue:
http://plnkr.co/edit/czeDNT8blND3tz3mYkET?p=preview
Version of Angular, UI-Select, and Bootstrap/Select2/Selectize CSS
Angular: 1.7.0+
UI-Select: 0.19.8