XSS. highlight filter takes text and treats it as html without encoding

[mobz]

The highlight filter is supposed to be used with ng-bind-html but does not perform any html encoding on the input. When items in a select are user generated, there is a potential for malicious behaviour.

For example if a user enters a name as Bob <img src="//porn.xxx/nsfw.gif"> Smith The image will be rendered in the select dropdown

The plnkr shows two ui-selects, one has the problematic highlight, the uses a fixed version of highlight

http://plnkr.co/edit/PR1IndT4oXZCm4UrnrNo?p=preview

The bug is in the highlight filter of in ui-select/common.js in 0.19.8

[Jefiozie]

Hi thanks for this issue. Can you make a PR for this to resolve this issue?

[felixmosh]

Why it is related to ui-select?
You have used ng-bind-html in-order to put that html.