feat: Introduce allowHTML option to allow people to disable injecting HTML into choices.

[mason-rogers]

Description

This is a continuation of #968 to address an XSS vulnerability when creating labels for choices.

Screenshots (if appropriate)

Choices executing JavaScript functions (alert()) defined in a label string.

Types of changes

• Chore (tooling change or documentation change)
• Refactor (non-breaking change which maintains existing functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.

[mtriff]

Awesome! Thanks for taking this up. There are a few test and linting errors that need to be resolved. Can you also add Cypress tests for the three states of allowHTML (true, false, undefined)?

[mason-rogers]

Should be done 👍Let me know if there are any other changes you would like to be done.

[mtriff]

Almost there, still a couple of linting issues. It also looks like we have an issue with custom templates. You can see in the demo page that the custom template example is no longer rendering correctly (there's a unit test failure that should point you in the right direction too).

[mtriff]

This is excellent, one minor nitpick. Also, the callbackOnCreateTemplates advanced example in the README needs to be updated too. Then we are good to merge.

[mason-rogers]

All done! 👍

[mtriff]

Excellent, thanks for this! I made some small changes to the wording around allowHTML and set allowHTML: false on our remote fetching examples (we should probably model good behaviour 😄).

[mason-rogers]

Thanks for merging this, is there any chance this will be included in a release soon? Also, while I'm here I have a question regarding the typings because Im not able to import choices.js with typings through import Choices from 'choices.js or import { Choices } from 'choices.js'.

Seems like the typings file package.json points to isn't shipped with the module on npm so I can't make it work for me in a TS vue project.

[mtriff]

I'd expect a release in the next week or two. There's at least one more breaking change I'd like to get merged first.

Thanks for flagging the types issue, looks like this was missed when the project was converted to TypeScript. It has been fixed on master (see #985). import Choices from 'choices.js' should work again.

[mason-rogers]

Just had another go with the new version with the supposed typings fix - still no luck on my end.

Judging off of this diff, the npm module should ship with a public/types folder, which it doesn't seem to do.

[mtriff]

Are you installing from the master branch?

npm install Choices-js/Choices#master

There won't be a new version pushed to npm until the next release.

[mason-rogers]

Yes, that's the exact command I ran to install it (I also uninstalled the release version beforehand)

    "choices.js": "github:Choices-js/Choices#master",

This is the line in my package.json, and the contents of the module are the same as above still.

[mason-rogers]

I've created a PR which fixes this issue: #986