Escape html places

[cmdcolin]

@garrettjstevens This is sort of a modification to to the escaping/unescaping approach that was going on.

If you want to test and give feedback let me know!

[cmdcolin]

I have changed the approach to make it explicit when we want to escape HTML by default on all values but by it enables unsafe HTML rendering if the "fmtDetailValue" or "fmtMetaValue" config is used as this is often used for creating custom HTML in a popup

Therefore this allows the behavior or customization with HTML when users have an advanced config but safe behavior by default

[garrettjstevens]

@cmdcolin the idea of escaping by default unless one of those configs is present. I think I found a couple places where unescaped HTML might be coming through, though. It looks like it's probably happening in the mouseovers for CanvasFeatures and the description for HTMLFeatures, since the <CN0> and <CN2> are missing:

[cmdcolin]

I think that's true, mouseover tooltips do allow html. Another place would be like the literal htmlfeatures feature labels. There are probably a lot of places and it's a little treacherous....I am imagining that unsafe html will possibly be better managed in react land..

[cmdcolin]

I added some changes to allow explicit unsafeMouseover, unsafePopup, and unsafeHTMLFeatures. Some of this is slightly breaking if someone assumed that HTML could be safely displayed in these areas. When fmtDetailValue callbacks are used it is automatically assumed unsafe on a specific field in the popups. Otherwise you have to manually set unsafePopup on the track config.

[garrettjstevens]

Looks great to me! I think React just assumes that you need to escape everything. If you try to use unescaped text it triggers an eslint rule (see below). So with JB2 we might just need to say that everything is going to be interpreted as HTML so it should already be escaped. Plus with JSX syntax turned on you pretty much have to escape things like < and > or else you'll get syntax errors.