fix: properly handle special characters in user-provided IDs (closes #4927, #5561)

[dietergeerts]

Describe the PR

Special characters are allowed in HTML5 (https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/id) but need to be escaped when used in a selector for usage in e.g. document.querySelector().

This PR makes sure to escape user-provided IDs (e.g. for <b-form-group> or a <b-tags-input>) when used with the select() util.

Closes #4927, #5561.

PR checklist

What kind of change does this PR introduce? (check at least one)

• Bugfix (fixes a boo-boo in the code) - fix(...), requires a patch version update
• Feature (adds a new feature to BootstrapVue) - feat(...), requires a minor version update
• Enhancement (augments an existing feature) - feat(...), requires a minor version update
• ARIA accessibility (fixes or improves ARIA accessibility) - fix(...), requires a patch or minor version update
• Documentation update (improves documentation or typo fixes) - chore(docs), requires a patch version update
• Other (please describe)

Does this PR introduce a breaking change? (check one)

• No
• Yes (please describe since breaking changes require a minor version update)

The PR fulfills these requirements:

• It's submitted to the dev branch, not the master branch
• When resolving a specific issue, it's referenced in the PR's title (i.e. [...] (fixes #xxx[,#xxx]), where "xxx" is the issue number)
• It should address only one issue or feature. If adding multiple features or fixing a bug and adding a new feature, break them into separate PRs if at all possible.
• The title should follow the Conventional Commits naming convention (i.e. fix(alert): not alerting during SSR render, docs(badge): update pill examples, chore(docs): fix typo in README, etc). This is very important, as the CHANGELOG is generated from these messages, and determines the next version type (patch or minor).

If new features/enhancement/fixes are added or changed:

• Includes documentation updates
• Includes component package.json meta section updates (prop, slot and event changes/updates)
• Includes any needed TypeScript declaration file updates
• New/updated tests are included and passing (required for new features and enhancements)
• Existing test suites are passing
• CodeCov for patch has met target (all changes/updates have been tested)
• The changes have not impacted the functionality of other components or directives
• ARIA Accessibility has been taken into consideration (Does it affect screen reader users or keyboard only users? Clickable items should be in the tab index, etc.)

If adding a new feature, or changing the functionality of an existing feature, the PR's
description above includes:

• A convincing reason for adding this feature (to avoid wasting your time, it's best to open a suggestion issue first and wait for approval before working on it)

[dietergeerts]

I also would like to mention that for me, at first, it wasn't clear that when you use label-for, that the id on the input has to be provided. I though that the b-form-group would add this automatically. After reading the docs again, I see it's stated, but like a bit "hidden". I believe it would be beneficial to have it more prominent in the docs.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 3879c5e:

Sandbox	Source
BootstrapVue Starter Project	Configuration

[codecov]

Codecov Report

Merging #5564 into dev will not change coverage.
The diff coverage is 100.00%.

@@            Coverage Diff            @@
##               dev     #5564   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          277       278    +1     
  Lines         9380      9409   +29     
  Branches      2497      2514   +17     
=========================================
+ Hits          9380      9409   +29     

Flag	Coverage Δ
#unittests	100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/components/form-group/form-group.js	100.00% <100.00%> (ø)
src/components/form-tags/form-tags.js	100.00% <100.00%> (ø)
src/utils/css-escape.js	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ec51ef0...3879c5e. Read the comment docs.

[dietergeerts]

In the original post, I stated that CSS.escape should be used, but as it's experimental, and not supported by all browser supported by bootstrap-vue, I included a polyfill instead.

[jacobmllr95]

@dietergeerts IMHO the escaping isn't wort it. Especially when we need to add an additional dependency.
Just make sure to only use IDs that are supported by .querySelector() out fo the box.

[dietergeerts]

@jackmu95, like explained in the issue, we are not in control of the used id. The extra dependency was added because CSS.escape is still experimental and not supported by all browsers this library supports. So if this is not fixed, we'll be unable to use this library.

[jacobmllr95]

@dietergeerts You have to make sure to assign a valid ID to the control of the <b-form-group> in the first place.
https://codesandbox.io/s/nifty-brook-kztwz?file=/App.vue

[dietergeerts]

@dietergeerts You have to make sure to assign a valid ID to the control of the <b-form-group> in the first place.
https://codesandbox.io/s/nifty-brook-kztwz?file=/App.vue

Well /1547-3 for example is a valid id in HTML5, and one that we get from a 3rd party system as unique id to be used in our forms.

Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/id

[jacobmllr95]

@dietergeerts I will revisit this later today.

css.escape is a polyfill for CSS.escape and would cause side-effects.
I think we should create a util for this ourselves which borrows most of the code.

There are also other places we need to escape a user-provided ID.

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/bootstrap-vue/bootstrap-vue/ctlihtqim
✅ Preview: https://bootstrap-vue-git-fork-dietergeerts-dev.bootstrap-vue.vercel.app

[jacobmllr95]

Thanks @dietergeerts!

[dietergeerts]

@jackmu95 , thx for finishing up and having it merged. Is there any schedule when releases are made? (just wondering, as I see a github-project with the version tag where all is in done column, and as all is like very well automated, I assumed it would have been released already)