[Autocomplete] Escape remote data

[comnuoc]

Currently, the script does not escape remote data and may have XSS vulnerabilities.

render: {
    option: function (item: any) {
        return `<div>${item.text}</div>`;
    },
    item: function (item: any) {
        return `<div>${item.text}</div>`;
    },

Can we escape remote data by default? https://tom-select.js.org/docs/#render-templates

render: {
    option: function (item: any, escape:typeof escape_html) {
        return `<div>${escape(item.text)}</div>`;
    },
    item: function (item: any, escape:typeof escape_html) {
        return `<div>${escape(item.text)}</div>`;
    },

or escape data based on option options_as_html

[smnandre]

Are you feeling up for a PR ?

[comnuoc]

I'm sorry, I don't have time for now. Could you please help?

[carsonbot]

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

[carsonbot]

Friendly reminder that this issue exists. If I don't hear anything I'll close this.

[carsonbot]

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!

[Kocal]

Hi, is this issue still happening after #2108? We use option_create option and display escaped remote data in it.