Documentation should make clear results are not escaped before inclusion in HTML

[rbu]

The documentation and examples make no mention of what happens when the server returns a label/value that is not safe to include in HTML without escaping. Examples only contain ASCII values.

While this is not a security issue in itself, documentation should mention that either the client or server needs to escape strings to avoid the possibility of a Cross-Site-Scripting (XSS) attack.

The better (yet backwards-incompatible) option would be to actually make this safer by introducing a default labelHTML function that escapes the value, allowing users to use the (current) identity function if they trust the server to return properly sanitized text.

[rbu]

The server returning HTML will actually cause invalid HTML to be created:

<a href="..." data-transition="fade" data-autocomplete="{&quot;value&quot;:556,&quot;label&quot;:&quot;fnord <script>alert('hello')</script>&quot;}" class="ui-link-inherit">fnord <script>alert('hello')</script></a>

Note that according to the HTML spec, attribute values may only contain text and character references, where the data-autocomplete attribute contains control characters.