Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.After upgrading from 4.7 to 4.8, I noticed the autocomplete search results are showing & instead of &.
The node title is "Places & Things"
I'm using a view to populate the search results.
Let me know if there is any other information I can provide.
Comments
Comment #2
Dirkozoid commentedHi @gmclelland,
check my comment here and apply the patch. I had the same problem yesterday.
https://www.drupal.org/project/search_autocomplete/issues/1739852#commen...
Comment #3
gmclelland commentedThanks for the suggestion @Dirkozoid, but the patch doesn't apply to the latest 7.4.x-dev version.
Comment #4
dom. commentedDamn... I did not see this new issue and submitted patch at #1739852: Getting encoded HTML for special characters in autocomplete suggestions.
OK, let's start fresh. Here is the patch again here.
Comment #7
dom. commentedComment #8
gmclelland commentedThank you Dom that did fix the problem with the autocomplete results, but I noticed another place where it is still showing
&. If you watch the search input, it changes values as a visitor uses the up or down arrow keys to select different autocomplete results.Steps to reproduce:
- Focus a search input.
- Type the search term. Autocomplete results show.
- Press the down key a few times and watch as the search input changes it's value inside the search box. That value will then show the encoded characters we don't want.
Hope that helps
Comment #9
dom. commentedI just spent an hour on this... Don't seems like fixable to me, unless we don't sent data encoded in the JSON. But... we go back to security issue.
The method to override is :
$.ui.autocomplete.prototype._movebut it is not even supposed to be an extension point. Therefore the necessary element within the method are not accessible (that I know of)...
For moment, I don't know how to fix #8 otherwise than disable the keyUp / keyDown
Comment #10
gmclelland commentedThank you trying. Not being that familiar with jquery.ui.autocomplete, I started looking into it.
Probably a long shot, but I wonder if https://github.com/scottgonzalez/jquery-ui-extensions/blob/master/src/au... would help?
In the docs it say's:
If you want the label to be treated as html you can use Scott González' html extension.
Comment #11
gmclelland commentedI'm not sure, but maybe we should escape the characters like
&right after it is received from the ajax call instead of inside the _renderItem function?Idea from https://stackoverflow.com/a/19305075/484832
I would think for it to be valid JSON all those special characters would need to be encoded?
Comment #12
dom. commentedTo be honest, the "jQuery UI Autocomplete HTML Extension" is about having HTML displayed in the suggestions. The code shows the same kind of trick I used to have the fields rendering (ie override $.ui.autocomplete.prototype), which is the sense of the demo in the project:
https://github.com/scottgonzalez/jquery-ui-extensions/blob/master/demo/a...
I spend again some more time and figured out. Once you know the solution, it makes you cry how simple it actually was...
Please try out this patch and let me know.
Comment #13
gmclelland commentedSo close.. I tested the patch and it does fix the encoding of the text inside the search input, but if you hit the down key and then enter key on a result item that is focused with a node title of
special "test" & <script>alert('hello')</script>it will execute it and show a javascript alert.One thing I noticed is that the the autocomplete result item doesn't show the
<script>tags, but the search input does.Comment #14
dom. commentedThis so frustrating ! But we are getting closer.
New patch attached for you to try !
Comment #16
gmclelland commentedJust tested your patch. You fixed it Dom! Great job.
I guess it's time for new release?
Comment #19
dom. commentedComment #20
Dirkozoid commentedThank you!
Comment #21
gmclelland commentedReally appreciate your help Dom. Thanks again