From 5bb38ce959f4440642d451082a65aef14869c58f Mon Sep 17 00:00:00 2001
From: sb745 <201226723+sb745@users.noreply.github.com>
Date: Mon, 22 Dec 2025 04:14:02 +0200
Subject: [PATCH] Incomplete multi-character sanitization fix

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 nyaa/static/js/bootstrap-select.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/nyaa/static/js/bootstrap-select.js b/nyaa/static/js/bootstrap-select.js
index ee12bb6..c5c9aa6 100644
--- a/nyaa/static/js/bootstrap-select.js
+++ b/nyaa/static/js/bootstrap-select.js
@@ -804,8 +804,10 @@
         title = typeof this.options.title !== 'undefined' ? this.options.title : this.options.noneSelectedText;
       }
 
-      //strip all HTML tags and trim the result, then unescape any escaped tags
-      this.$button.attr('title', htmlUnescape($.trim(title.replace(/<[^>]*>?/g, ''))));
+      //strip all HTML tags in a DOM-safe way and trim the result, then unescape any escaped tags
+      var $tmp = $('<div>').html(title);
+      var plainTitle = $tmp.text();
+      this.$button.attr('title', htmlUnescape($.trim(plainTitle)));
       this.$button.children('.filter-option').html(title);
 
       this.$element.trigger('rendered.bs.select');