Open lcreid opened 1 year ago
@lcreid Is there anything to do on this issue?
I'd like to leave this open, but I don't think it's high priority to address, since what I observed is that HTML was getting escaped, which is safer than if we were allowing through HTML that might not be safe to render.
While refactoring for #642 ,
BootstrapFormGroupTest#test_append_and_prepend_button
started outputting escaped strings instead of HTML. But the test hadn't changed. So the question is, did the code always allow unsafe strings to be passed in and be rendered without being checked for HTML-safeness?