Don't allow sanitize in BS popover

[duzun]

In BS v3.4.1 tooltips and popovers sanitize HTML by default, thus removing navigation buttons from the tour.

[IGreatlyDislikeJavascript]

Sorry, I feel like I'm repeatedly posting the same thing on this issue. Turning off the sanitizer as per your patch will fix the issue, but will introduce a potential security vulnerability due to XSS etc depending on how your code works.

I strongly suggest that you change your patch to specifically whitelist the button elements, or use my fork which exposes options to do this for you.

See https://github.com/sorich87/bootstrap-tour/issues/729

[duzun]

My bad, I did not investigate the code thoroughly enough. I thought the source of HTML is internal only, but now I see user can pass contents and the template of the popover through options. In my project, I've just disabled BS sanitization globally, because of this issue. I know what I'm doing and can afford this (a browser extension with strict CSP and the only source of HTML being my compiled JS).

But I can imagine other projects, where this issue arises and someone disables BS sanitization globally as a quick fix, with far more bad consequences than good ones.

IMHO it should work out of the box, at least with BS 3.4. And only sanitize user-supplied contents of templates, if not explicitly requested otherwise.

[ibastevan]

I would recommend using @IGreatlyDislikeJavascript fork It is working much better.