Typeahead use bind-html-unsafe

[albertein]

The typeahead directive uses bind-html-unsafe for the template of matches, https://github.com/angular-ui/bootstrap/blob/master/template/typeahead/typeahead-match.html.

The property on the directive doesn't indicate on any way that it can be dangerous, it should either:

a) Remove html-bind-unsafe entirely
b) Having typeahead use html-bind-unsafe should be a parameter set explicitly.

I would be happy to do any of those.

[chrisirhc]

I think we should remove its use entirely. To do this we'll need to:

1. Switch to use ng-bind-html in the typeahead-match.html template
2. Modify typeaheadHighlight:
   1. If the matchItem.toString() contains a starting tag (< followed by >), typeaheadHighlight should use [$sce.getTrustedHtml] on the matchItem
   2. If $sanitize service exists, call $sce.getTrustedHtml on the output. Otherwise, if it doesn't exist, call $sce.trustAsHtml on the output.
3. Add Breaking Changes message to note to users to make sure that matchItem labels that contain HTML must be made trusted using the $sce.trustAsHtml method.

This sequence should be safe because if $sanitize doesn't exist and the matchItem string contains a tag, an exception will be thrown. Otherwise, if the matchItem string doesn't contain a tag, there's no need to sanitize it.

[fernando-sendMail]

Hello:
I found this issue too, and since I need to create a workaround for this I want to work out this this weekend. Is anybody working on this currently or is it done yet?

If not, let me know so I can do it, and do a pull request.

On a side note I've never made a contribution, do you have any additional guidelines besides the ones posted on github, say for this project in particular?

Thanks for your time!

[karianna]

Nothing special, except for make sure it's covered by tests :-) go for it!

[nschloe]

This is also popping up for our project; a fix for this would be appreciated. :)

[erik-slack]

Same here.

[Frondor]

bindHtmlUnsafe is now deprecated. Use ngBindHtml instead (Google Chrome console warning)

[andrzejpiasecki]

Same here.

[kikar]

+1