allowHtml now defaults to false

Author: Xon

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### ⚠ BREAKING CHANGES
 
+* `allowHtml` now defaults to false.
 * HTML escaping of choice/item labels should no longer double escape depending on allowHTML mode.
 * Templates/text functions now escape `'` characters for display.
 * `addItemText`/`uniqueItemText`/`customAddItemText` are now called with the `value` argument already escaped.

README.md

@@ -129,7 +129,7 @@ Or include Choices directly:
     removeItemButton: false,
     removeItemButtonAlignLeft: false,
     editItems: false,
-    allowHTML: true,
+    allowHTML: false,
     duplicateItemsAllowed: true,
     delimiter: ',',
     paste: true,
@@ -359,14 +359,12 @@ Pass an array of objects:
 
 ### allowHTML
 
-**Type:** `Boolean` **Default:** `true`
+**Type:** `Boolean` **Default:** `false`
 
 **Input types affected:** `text`, `select-one`, `select-multiple`
 
 **Usage:** Whether HTML should be rendered in all Choices elements. If `false`, all elements (placeholder, items, etc.) will be treated as plain text. If `true`, this can be used to perform XSS scripting attacks if you load choices from a remote source.
 
-**Deprecation Warning:** This will default to `false` in a future release.
-
 ### allowHtmlUserInput
 
 **Type:** `Boolean` **Default:** `false`

cypress/e2e/select-multiple.spec.ts

@@ -949,34 +949,6 @@ describe('Choices - select multiple', () => {
     });
 
     describe('allow html', () => {
-      describe('is undefined', () => {
-        it('logs a deprecation warning', () => {
-          cy.get('@consoleWarn').should(
-            'be.calledOnceWithExactly',
-            'Deprecation warning: allowHTML will default to false in a future release. To render HTML in Choices, you will need to set it to true. Setting allowHTML will suppress this message.',
-          );
-        });
-
-        it('does not show as text when selected', () => {
-          cy.get('[data-test-hook=allowhtml-undefined]')
-            .find('.choices__list--multiple .choices__item')
-            .first()
-            .should(($choice) => {
-              expect($choice.text().trim()).to.equal('Choice 1');
-            });
-        });
-
-        it('does not show html as text in dropdown', () => {
-          cy.get('[data-test-hook=allowhtml-undefined]')
-            .find('.choices__list--dropdown .choices__list')
-            .children()
-            .first()
-            .should(($choice) => {
-              expect($choice.text().trim()).to.equal('Choice 2');
-            });
-        });
-      });
-
       describe('set to true', () => {
         it('does not show as text when selected', () => {
           cy.get('[data-test-hook=allowhtml-true]')

cypress/e2e/select-one.spec.ts

@@ -1070,25 +1070,6 @@ describe('Choices - select one', () => {
     });
 
     describe('allow html', () => {
-      describe('is undefined', () => {
-        it('logs a deprecation warning', () => {
-          cy.get('@consoleWarn').should(
-            'be.calledOnceWithExactly',
-            'Deprecation warning: allowHTML will default to false in a future release. To render HTML in Choices, you will need to set it to true. Setting allowHTML will suppress this message.',
-          );
-        });
-
-        it('does not show html as text', () => {
-          cy.get('[data-test-hook=allowhtml-undefined]')
-            .find('.choices__list--dropdown .choices__list')
-            .children()
-            .first()
-            .should(($choice) => {
-              expect($choice.text().trim()).to.equal('Choice 1');
-            });
-        });
-      });
-
       describe('set to true', () => {
         it('does not show html as text', () => {
           cy.get('[data-test-hook=allowhtml-true]')

cypress/e2e/text.spec.ts

@@ -360,24 +360,6 @@ describe('Choices - text element', () => {
     });
 
     describe('allow html', () => {
-      describe('is undefined', () => {
-        it('logs a deprecation warning', () => {
-          cy.get('@consoleWarn').should(
-            'be.calledOnceWithExactly',
-            'Deprecation warning: allowHTML will default to false in a future release. To render HTML in Choices, you will need to set it to true. Setting allowHTML will suppress this message.',
-          );
-        });
-
-        it('does not show html as text', () => {
-          cy.get('[data-test-hook=allowhtml-undefined]')
-            .find('.choices__list--multiple .choices__item')
-            .first()
-            .should(($choice) => {
-              expect($choice.text().trim()).to.equal('Mason Rogers');
-            });
-        });
-      });
-
       describe('set to true', () => {
         it('does not show html as text', () => {
           cy.get('[data-test-hook=allowhtml-true]')

public/assets/scripts/choices.js

@@ -230,20 +230,17 @@ var Choices = /** @class */function () {
     var _this = this;
     this._lastAddedChoiceId = 0;
     this._lastAddedGroupId = 0;
-    if (userConfig.allowHTML === undefined) {
-      console.warn('Deprecation warning: allowHTML will default to false in a future release. To render HTML in Choices, you will need to set it to true. Setting allowHTML will suppress this message.');
-    }
     this.config = (0, utils_1.extend)(true, {}, defaults_1.DEFAULT_CONFIG, Choices.defaults.options, userConfig);
     var invalidConfigOptions = (0, utils_1.diff)(this.config, defaults_1.DEFAULT_CONFIG);
     if (invalidConfigOptions.length) {
       console.warn('Unknown config option(s) passed', invalidConfigOptions.join(', '));
     }
     if (!this.config.silent && this.config.allowHTML && this.config.allowHtmlUserInput) {
       if (this.config.addItems) {
-        console.warn('Deprecation warning: allowHTML/allowHtmlUserInput/addItems all being true is strongly not recommended and may lead to XSS attacks');
+        console.warn('Warning: allowHTML/allowHtmlUserInput/addItems all being true is strongly not recommended and may lead to XSS attacks');
       }
       if (this.config.addChoices) {
-        console.warn('Deprecation warning: allowHTML/allowHtmlUserInput/addChoices all being true is strongly not recommended and may lead to XSS attacks');
+        console.warn('Warning: allowHTML/allowHtmlUserInput/addChoices all being true is strongly not recommended and may lead to XSS attacks');
       }
     }
     var passedElement = typeof element === 'string' ? document.querySelector(element) : element;
@@ -2958,7 +2955,7 @@ exports.DEFAULT_CONFIG = {
   removeItemButton: false,
   removeItemButtonAlignLeft: false,
   editItems: false,
-  allowHTML: true,
+  allowHTML: false,
   allowHtmlUserInput: false,
   duplicateItemsAllowed: true,
   delimiter: ',',

public/assets/scripts/choices.min.js

@@ -386,7 +386,7 @@ <h2>Select multiple inputs</h2>
         </div>
 
         <div data-test-hook="allowhtml-undefined">
-          <label for="choices-allowhtml-undefined">HTML allowed by default</label>
+          <label for="choices-allowhtml-undefined">HTML disabled by default</label>
           <select
             class="form-control"
             name="choices-allowhtml-undefined"

public/test/select-multiple/index.html

@@ -377,7 +377,7 @@ <h2>Select one inputs</h2>
         </div>
 
         <div data-test-hook="allowhtml-undefined">
-          <label for="choices-allowhtml-undefined">HTML allowed by default</label>
+          <label for="choices-allowhtml-undefined">HTML disabled by default</label>
           <select
             class="form-control"
             name="choices-allowhtml-undefined"

public/test/select-one/index.html

@@ -77,7 +77,7 @@ <h2>Text inputs</h2>
         </div>
 
         <div data-test-hook="allowhtml-undefined">
-          <label for="allowhtml-undefined">HTML allowed by default</label>
+          <label for="allowhtml-undefined">HTML disabled by default</label>
           <input class="form-control" id="allowhtml-undefined" type="text" />
         </div>
 

public/types/src/scripts/choices.d.ts.map

@@ -230,11 +230,9 @@ export interface Options {
      * If `false`, all elements (placeholder, items, etc.) will be treated as plain text.
      * If `true`, this can be used to perform XSS scripting attacks if you load choices from a remote source.
      *
-     * **Deprecation Warning:** This will default to `false` in a future release.
-     *
      * **Input types affected:** text, select-one, select-multiple
      *
-     * @default true
+     * @default false
      */
     allowHTML: boolean;
     /**