Sanitize HTML in subtext and title instead of stripping it away

[hossein]

The sanitizer implemented in 1.13.6 (#2199) sanitizes the data-content, but not data-subtext and title.

However, there are valid use cases one might want to use html in subtext and in the title (in our use case to show detailed information in the button for the selected item).

Therefore I think the component should sanitize these attributes instead of just stripping HTML out. This is more consistent with data-content sanitizing and would also resolve #2225 gracefully.

[caseyjhol]

See #1889 and https://stackoverflow.com/questions/48913405/bootstrap-selectpicker-data-subtext-disappears/49030441#49030441. Other than not being as elegant, is there a reason data-content won't work for you?

[hossein]

Hi; thanks for the information! The original message was kinda written in a hurry btw so I forgot to also thank you for the great component! 👍

It is clear that data-subtext behavior can be easily imitated. However the problematic part for us is the title attribute: Consider the scenario in which we show a formatted list of customers using data-content. After selecting a customer, we would like to show a small profile image as well as contact information about the customer on the button itself (*).

We did this by setting title attribute on each option before 1.13.6, but titles can no longer contain html. The list displays fine, but after selecting an item the button will contain html garbage instead of images and formatting. Therefore it would be a good idea to treat data-content and title equally with regard to HTML escaping and sanitizing (**).

(*) Let's not discuss the rationale behind such design; I know we can have separate fields outside the button.
(**) And maybe data-subtext as well, just for consistency's sake, or explicitly mention it can't contain html in its docs.

[hossein]

I saw there are plans for the title attribute in #2228 but didn't quite get what will change. Are there other plans for the title attribute in the next version?

[mikeploeger]

I have the same problem, can't set with html icons since 1.13.6. A breaking change in a minor release :( It would be great if you could provide a way of allowing html back in the title tag!

[mikeploeger]

@caseyjhol

Problem also mentioned in:
#2388

[caseyjhol]

@hossein I have plans to add some new options in the next minor release to replace title on individual options with something more intuitive. See #2458. Please 👍 to vote and subscribe 🔉 for updates.

[hossein]

@caseyjhol Thanks for pointing out the issue. That provides a working alternative for our use case to specify selected item's content instead of using title (I see you had concerns about conflicting with select's own title). If implemented, this issue and related ones can be closed.