Use a patched version of awesomplete...

which doesn't render suggestions as HTML. See https://github.com/LeaVerou/awesomplete/pull/17082
2017-07-12 22:38:03 +02:00 · 2017-07-12 22:38:03 +02:00 · 647395a504
commit 647395a504
parent c422237668
3 changed files with 10 additions and 3 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,6 +1,13 @@
 # Changelog

-## 3.1.0 ((2017-07-05))
+## 3.1.1 (Unreleased)
+
+- Use a patched version of [awesomplete](https://github.com/LeaVerou/awesomplete)
+  which doesn't render suggestions as HTML (possible XSS attack vector). [jcbrand]
+
+More info here: https://github.com/LeaVerou/awesomplete/pull/17082
+
+## 3.1.0 (2017-07-05)

 ### API changes
 - Deprecate the `updateSettings` method in favour of
--- a/package.json
+++ b/package.json
@ -33,7 +33,7 @@
  },
  "devDependencies": {
    "almond": "~0.3.3",
-    "awesomplete": "^1.1.1",
+    "awesomplete-avoid-xss": "^1.1.2",
    "backbone": "1.3.3",
    "backbone.browserStorage": "0.0.3",
    "backbone.overview": "0.0.3",
--- a/src/config.js
+++ b/src/config.js
@ -16,7 +16,7 @@ require.config({
    baseUrl: '.',
    paths: {
        "almond":                   "node_modules/almond/almond",
-        "awesomplete":              "node_modules/awesomplete/awesomplete",
+        "awesomplete":              "node_modules/awesomplete-avoid-xss/awesomplete",
        "backbone":                 "node_modules/backbone/backbone",
        "backbone.noconflict":      "src/backbone.noconflict",
        "backbone.browserStorage":  "node_modules/backbone.browserStorage/backbone.browserStorage",