From 49244f477166191f7df5e1352faf8ef9c4488def Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 23 Jan 2019 11:54:35 +0100
Subject: [PATCH] we still need to pull
 https://github.com/dragonofmercy/Tokenize2/pull/51 to prevent escaping
 issues, closes https://github.com/opnsense/core/issues/3145

---
 src/opnsense/www/js/tokenize2.js | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/opnsense/www/js/tokenize2.js b/src/opnsense/www/js/tokenize2.js
index 290d73042..4dd3d9e60 100644
--- a/src/opnsense/www/js/tokenize2.js
+++ b/src/opnsense/www/js/tokenize2.js
@@ -238,7 +238,7 @@
         if(this.options.sortable){
             var previous, current, data = this.tokensContainer.tokenize2sortable('serialize').get(0);
             $.each(data, $.proxy(function(k, v){
-                current = $('option[value="' + v.value + '"]', this.element);
+                current = $('option[value="' + $.escapeSelector(v.value) + '"]', this.element);
                 if(previous === undefined){
                     current.prependTo(this.element);
                 } else {
@@ -294,13 +294,13 @@
         }
 
         // Check duplicate token
-        if($('li.token[data-value="' + value + '"]', this.tokensContainer).length > 0){
+        if($('li.token[data-value="' + $.escapeSelector(value) + '"]', this.tokensContainer).length > 0){
             this.trigger('tokenize:tokens:error:duplicate', [value, text]);
             return this;
         }
 
-        if($('option[value="' + value + '"]', this.element).length) {
-            $('option[value="' + value + '"]', this.element).attr('selected', 'selected').prop('selected', true);
+        if($('option[value="' + $.escapeSelector(value) + '"]', this.element).length) {
+            $('option[value="' + $.escapeSelector(value) + '"]', this.element).attr('selected', 'selected').prop('selected', true);
         } else if(force){
             this.element.append($('<option selected />').val(value).html(text));
         } else if(this.options.tokensAllowCustom){
@@ -333,8 +333,7 @@
      * @returns {Tokenize2}
      */
     Tokenize2.prototype.tokenRemove = function(v){
-
-        var $item = $('option[value="' + v + '"]', this.element);
+        var $item = $('option[value="' + $.escapeSelector(v) + '"]', this.element);
 
         if($item.attr('data-type') === 'custom'){
             $item.remove();
@@ -342,7 +341,7 @@
             $item.removeAttr('selected').prop('selected', false);
         }
 
-        $('li.token[data-value="' + v + '"]', this.tokensContainer).remove();
+        $('li.token[data-value="' + $.escapeSelector(v) + '"]', this.tokensContainer).remove();
 
         this.trigger('tokenize:tokens:reorder');
         return this;