You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Oct 2, 2019. It is now read-only.
The highlight filter is supposed to be used with ng-bind-html but does not perform any html encoding on the input. When items in a select are user generated, there is a potential for malicious behaviour.
For example if a user enters a name as Bob <img src="//porn.xxx/nsfw.gif"> Smith The image will be rendered in the select dropdown
The plnkr shows two ui-selects, one has the problematic highlight, the uses a fixed version of highlight