Can sanitizeHtml() be made a public utility?

[tiesont]

Not really sure if this has been requested before, or if it even makes sense to do so, but is it at all possible to expose the functions from sanitize.js as something that can be called when using bootstrap.js?

Why?

I help maintain the Bootbox library, which creates Bootstrap modals on the fly. One of the features we've had pretty much from the beginning was the ability to use HTML in the message and title you wanted to show to the user. Something like:

bootbox.alert({
    title: 'I have <b>Something Important</b> to say:',
    message: 'I AM A <i>BANANA</i>!'
})

That's all well and good, and works as intended, but apparently kids these days expect small libraries to work like the React and Angular frameworks, and protect them from themselves by automatically sanitizing input (see bootboxjs/bootbox#661). We use jQuery's html() function to allow the aforementioned styled messages, so now it's (apparently) become an issue (the npm package is marked as containing a vulnerability). I don't want to add an external dependency beyond Bootstrap, and I see that you have sanitizing built into tooltips and popovers. It would be great to just be able to call into sanitizeHtml() inside Bootbox, but I haven't found that to be possible. Then again, I'm not a JavaScript expert, so I wouldn't be surprised if it's already possible. If so, could that be documented somewhere (even if it's just a few pointers here prior to closing this issue)?

[Johann-S]

Hi @tiesont,

I'm not really in favor of sharing our sanitizeHtml method, because it's a very simple sanitizer, people who needs a real sanitizer should use something like DOMPurify.

I would suggest you to provide a way for your users to sanitize themselves their inputs, we did that with sanitizeFn options which allow folks to pass their own sanitize function. See: https://getbootstrap.com/docs/4.3/components/tooltips/#options

I hope it helps you 👍

/CC @twbs/js-review if someone thinks otherwise do not hesitate to reopen 😉