From 56a8afa6295286b272a18505b395173d0de8a5ca Mon Sep 17 00:00:00 2001
From: Dominique Hazael-Massieux <dom@w3.org>
Date: Wed, 26 Jun 2019 13:10:48 -0700
Subject: [PATCH] Escape HTML characters in list of suggestions > > fix #16932
 > > Generate manual DOM subtree for each marked instance of the queried
 string instead of generating an unsafe HTML string

---
 awesomplete.js | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/awesomplete.js b/awesomplete.js
index 396fb711..27c8cd7f 100644
--- a/awesomplete.js
+++ b/awesomplete.js
@@ -371,9 +371,23 @@ _.CONTAINER = function (input) {
 }
 
 _.ITEM = function (text, input, item_id) {
-	var html = input.trim() === "" ? text : text.replace(RegExp($.regExpEscape(input.trim()), "gi"), "<mark>$&</mark>");
+        var span = document.createElement("span");
+        if (input.trim() === "") {
+          span.textContent = text;
+        } else {
+          var matcher = RegExp($.regExpEscape(input.trim()), "gi");
+          var m, cur = 0;
+          while((m = matcher.exec(text)) !== null) {
+            span.appendChild(document.createTextNode(text.slice(cur, m.index)));
+            var mark = document.createElement("mark");
+            mark.textContent = m[0];
+            span.appendChild(mark);
+            cur = m.index + m[0].length;
+          }
+          span.appendChild(document.createTextNode(text.slice(cur)));
+        }
 	return $.create("li", {
-		innerHTML: html,
+		innerHTML: span.innerHTML,
 		"role": "option",
 		"aria-selected": "false",
 		"id": "awesomplete_list_" + this.count + "_item_" + item_id