fix(security): escape category and value in default formatters (GHSA-hvqh-jw65-wcpq)

`formatGroup` interpolated `category` into HTML un-escaped, and the
early-return branch of `formatResult` (reached with `minChars: 0` and
an empty current query) returned `suggestion.value` un-escaped. Both
results are concatenated into the suggestions container's innerHTML,
yielding XSS when the data source is attacker-controllable.

Both formatters now build the HTML via `document.createElement` +
`textContent` so the browser handles entity escaping for any tainted
input.

Adds unit tests on both exported formatters plus an end-to-end test
that asserts a poisoned `category` produces zero DOM nodes in the
rendered container.

Refs GHSA-hvqh-jw65-wcpq.

Co-Authored-By: junowilderness <1977311+junowilderness@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

dist/jquery.autocomplete.esm.js

@@ -47,13 +47,18 @@ function transformResult(response) {
 }
 function formatResult(suggestion, currentValue) {
   if (!currentValue) {
-    return suggestion.value;
+    const span = document.createElement("span");
+    span.textContent = suggestion.value;
+    return span.innerHTML;
   }
   const pattern = "(" + utils.escapeRegExChars(currentValue) + ")";
   return suggestion.value.replace(new RegExp(pattern, "gi"), "<strong>$1</strong>").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/&lt;(\/?strong)&gt;/g, "<$1>");
 }
 function formatGroup(_suggestion, category) {
-  return '<div class="autocomplete-group">' + category + "</div>";
+  const div = document.createElement("div");
+  div.className = "autocomplete-group";
+  div.textContent = category;
+  return div.outerHTML;
 }
 
 // src/defaults.ts

dist/jquery.autocomplete.js

@@ -55,13 +55,18 @@
   }
   function formatResult(suggestion, currentValue) {
     if (!currentValue) {
-      return suggestion.value;
+      const span = document.createElement("span");
+      span.textContent = suggestion.value;
+      return span.innerHTML;
     }
     const pattern = "(" + utils.escapeRegExChars(currentValue) + ")";
     return suggestion.value.replace(new RegExp(pattern, "gi"), "<strong>$1</strong>").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/&lt;(\/?strong)&gt;/g, "<$1>");
   }
   function formatGroup(_suggestion, category) {
-    return '<div class="autocomplete-group">' + category + "</div>";
+    const div = document.createElement("div");
+    div.className = "autocomplete-group";
+    div.textContent = category;
+    return div.outerHTML;
   }
 
   // src/defaults.ts

dist/jquery.autocomplete.min.js

@@ -15,7 +15,11 @@ export function transformResult(response: string | AutocompleteResponse): Autoco
 
 export function formatResult(suggestion: Suggestion, currentValue: string): string {
     if (!currentValue) {
-        return suggestion.value;
+        // Same escaping channel as formatGroup — let the browser handle entities
+        // so an HTML-bearing suggestion.value can't break out of the text node.
+        const span = document.createElement("span");
+        span.textContent = suggestion.value;
+        return span.innerHTML;
     }
 
     const pattern = "(" + utils.escapeRegExChars(currentValue) + ")";
@@ -30,5 +34,8 @@ export function formatResult(suggestion: Suggestion, currentValue: string): stri
 }
 
 export function formatGroup(_suggestion: Suggestion, category: string): string {
-    return '<div class="autocomplete-group">' + category + "</div>";
+    const div = document.createElement("div");
+    div.className = "autocomplete-group";
+    div.textContent = category;
+    return div.outerHTML;
 }

src/format.ts

@@ -1,5 +1,7 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 
+import { formatGroup, formatResult } from "../src/format.ts";
+
 const $ = globalThis.jQuery;
 
 // Clear mockjax handlers and any leftover suggestion containers between tests
@@ -837,6 +839,51 @@ describe("Autocomplete groupBy", () => {
     });
 });
 
+describe("XSS in default formatters (GHSA-hvqh-jw65-wcpq)", () => {
+    const PAYLOAD = "<img src=x onerror=\"alert('XSS')\">";
+
+    afterEach(() => {
+        $(".autocomplete-suggestions").remove();
+    });
+
+    it("formatGroup escapes the category", () => {
+        const html = formatGroup({ value: "x", data: null }, PAYLOAD);
+        expect(html).not.toContain("<img");
+        expect(html).toContain("&lt;img");
+    });
+
+    it("formatResult escapes the value when currentValue is empty", () => {
+        const html = formatResult({ value: PAYLOAD, data: null }, "");
+        expect(html).not.toContain("<img");
+        expect(html).toContain("&lt;img");
+    });
+
+    it("does not inject DOM nodes when groupBy category is poisoned", () => {
+        const input = document.createElement("input");
+        document.body.appendChild(input);
+        const ac = new $.Autocomplete(input, {
+            lookup: [
+                { value: "Apple", data: { category: PAYLOAD } },
+                { value: "Avocado", data: { category: "Safe" } },
+            ],
+            groupBy: "category",
+            minChars: 1,
+            triggerSelectOnValidInput: false,
+        });
+
+        input.value = "A";
+        ac.onValueChange();
+
+        // Poisoned category renders as text inside the group header — no img
+        // element is created.
+        const container = ac.suggestionsContainer;
+        expect(container.querySelectorAll("img").length).toBe(0);
+        expect(container.querySelector(".autocomplete-group").textContent).toBe(PAYLOAD);
+
+        document.body.removeChild(input);
+    });
+});
+
 describe("When options.preserveInput is true", () => {
     const input = $("<input />");
     let instance;