Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize HTML in subtext and title instead of stripping it away #2247

Open
hossein opened this issue Mar 28, 2019 · 7 comments
Open

Sanitize HTML in subtext and title instead of stripping it away #2247

hossein opened this issue Mar 28, 2019 · 7 comments

Comments

@hossein
Copy link

hossein commented Mar 28, 2019

The sanitizer implemented in 1.13.6 (#2199) sanitizes the data-content, but not data-subtext and title.

However, there are valid use cases one might want to use html in subtext and in the title (in our use case to show detailed information in the button for the selected item).

Therefore I think the component should sanitize these attributes instead of just stripping HTML out. This is more consistent with data-content sanitizing and would also resolve #2225 gracefully.
@caseyjhol
Copy link
Member

See #1889 and https://stackoverflow.com/questions/48913405/bootstrap-selectpicker-data-subtext-disappears/49030441#49030441. Other than not being as elegant, is there a reason data-content won't work for you?

@hossein
Copy link
Author

hossein commented Mar 29, 2019
edited
Loading

Hi; thanks for the information! The original message was kinda written in a hurry btw so I forgot to also thank you for the great component! 👍

It is clear that data-subtext behavior can be easily imitated. However the problematic part for us is the title attribute: Consider the scenario in which we show a formatted list of customers using data-content. After selecting a customer, we would like to show a small profile image as well as contact information about the customer on the button itself (*).

We did this by setting title attribute on each option before 1.13.6, but titles can no longer contain html. The list displays fine, but after selecting an item the button will contain html garbage instead of images and formatting. Therefore it would be a good idea to treat data-content and title equally with regard to HTML escaping and sanitizing (**).

(*) Let's not discuss the rationale behind such design; I know we can have separate fields outside the button.
(**) And maybe data-subtext as well, just for consistency's sake, or explicitly mention it can't contain html in its docs.

@hossein
Copy link
Author

hossein commented Apr 5, 2019
edited
Loading

I saw there are plans for the title attribute in #2228 but didn't quite get what will change. Are there other plans for the title attribute in the next version?

@mikeploeger
Copy link

mikeploeger commented Feb 8, 2020
edited
Loading

I have the same problem, can't set with html icons since 1.13.6. A breaking change in a minor release :( It would be great if you could provide a way of allowing html back in the title tag!

@mikeploeger
Copy link

@caseyjhol

Problem also mentioned in:
#2388

@caseyjhol
Copy link
Member

@hossein I have plans to add some new options in the next minor release to replace title on individual options with something more intuitive. See #2458. Please 👍 to vote and subscribe 🔉 for updates.

@hossein
Copy link
Author

hossein commented May 8, 2020

@caseyjhol Thanks for pointing out the issue. That provides a working alternative for our use case to specify selected item's content instead of using title (I see you had concerns about conflicting with select's own title). If implemented, this issue and related ones can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@caseyjhol @hossein @mikeploeger