bootstrap-select icon indicating copy to clipboard operation
bootstrap-select copied to clipboard
verified publisher icon snapappointments

Sanitize HTML in subtext and title instead of stripping it away

Open hossein opened this issue 6 years ago • 7 comments

The sanitizer implemented in 1.13.6 (https://github.com/snapappointments/bootstrap-select/issues/2199) sanitizes the data-content, but not data-subtext and title.

However, there are valid use cases one might want to use html in subtext and in the title (in our use case to show detailed information in the button for the selected item).

Therefore I think the component should sanitize these attributes instead of just stripping HTML out. This is more consistent with data-content sanitizing and would also resolve https://github.com/snapappointments/bootstrap-select/issues/2225 gracefully.

hossein avatar Mar 28 '19 12:03 hossein

See #1889 and https://stackoverflow.com/questions/48913405/bootstrap-selectpicker-data-subtext-disappears/49030441#49030441. Other than not being as elegant, is there a reason data-content won't work for you?

caseyjhol avatar Mar 28 '19 15:03 caseyjhol

Hi; thanks for the information! The original message was kinda written in a hurry btw so I forgot to also thank you for the great component! :+1:

It is clear that data-subtext behavior can be easily imitated. However the problematic part for us is the title attribute: Consider the scenario in which we show a formatted list of customers using data-content. After selecting a customer, we would like to show a small profile image as well as contact information about the customer on the button itself (*).

We did this by setting title attribute on each option before 1.13.6, but titles can no longer contain html. The list displays fine, but after selecting an item the button will contain html garbage instead of images and formatting. Therefore it would be a good idea to treat data-content and title equally with regard to HTML escaping and sanitizing (**).

(*) Let's not discuss the rationale behind such design; I know we can have separate fields outside the button. (**) And maybe data-subtext as well, just for consistency's sake, or explicitly mention it can't contain html in its docs.

hossein avatar Mar 29 '19 17:03 hossein

I saw there are plans for the title attribute in https://github.com/snapappointments/bootstrap-select/issues/2228 but didn't quite get what will change. Are there other plans for the title attribute in the next version?

hossein avatar Apr 05 '19 11:04 hossein

I have the same problem, can't set

It would be great if you could provide a way of allowing html back in the title tag!

mikeploeger avatar Feb 08 '20 13:02 mikeploeger

@caseyjhol

Problem also mentioned in: https://github.com/snapappointments/bootstrap-select/issues/2388

mikeploeger avatar Feb 08 '20 13:02 mikeploeger

@hossein I have plans to add some new options in the next minor release to replace title on individual options with something more intuitive. See #2458. Please 👍 to vote and subscribe 🔉 for updates.

caseyjhol avatar May 07 '20 23:05 caseyjhol

@caseyjhol Thanks for pointing out the issue. That provides a working alternative for our use case to specify selected item's content instead of using title (I see you had concerns about conflicting with select's own title). If implemented, this issue and related ones can be closed.

hossein avatar May 08 '20 14:05 hossein