Add custom select component with docs and form integration#42093
Add custom select component with docs and form integration#42093
Conversation
Introduces a new CustomSelect plugin with searchable rich-option rendering, wires it into JS/SCSS exports, and documents usage in the forms docs/sidebar. Polish theme, control, and code-copy UI details. Adjusts secondary/button visual tokens and control typography while simplifying code snippet copy button labels across docs shortcodes. Improve docs examples layout and interactive snippets. Expands grid column utility coverage in docs, refines docs section-card responsiveness, and updates button playground snippet rendering/highlighting behavior.
| } | ||
|
|
||
| // Build item content | ||
| item.innerHTML = this._buildItemContent(option) |
Check failure
Code scanning / CodeQL
DOM text reinterpreted as HTML High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, this problem is fixed by avoiding the pattern “DOM text → string concatenation → innerHTML”. Instead, construct DOM nodes programmatically and insert untrusted data using textContent (or setAttribute) so the browser never interprets it as HTML. HTML-based features that truly require markup (e.g., trusted SVG icons) should be kept separate and, when necessary, passed through a strict sanitizer or only accept developer-controlled values.
For this file, the best fix with minimal functional change is:
- Keep the existing HTML-string-based flow for trusted/controlled fragments (icon SVG, checkmark SVG, and the full
data-bs-contentoverride, which is already sanitized). - Replace
_buildItemContentso it no longer returns an HTML string. Instead:- It creates a root
<span class="custom-select-content">node. - It appends a text span (
<span class="custom-select-text">) withtextContent = option.textContent. - It appends an optional description span with
textContent = option.dataset.bsDescription. - It creates and appends an icon/image container span:
- For
data-bs-icon, treat it as trusted developer HTML and insert it viainnerHTMLin a small, contained span. - For
data-bs-image, create an<img>element and setimg.srcandimg.altas attributes (no HTML interpretation).
- For
- It returns an object containing:
contentElement(the DOM node for the text/description block),iconElement(optional DOM node for icon/image),checkmarkHtml(string) or a small DOM node for the checkmark.
- It creates a root
- Update
_createItemto append the returned nodes instead of settingitem.innerHTML.
To implement this safely and minimally:
- Change
_buildItemContent’s contract from returning a string of HTML to returning an object with DOM elements. - Adjust the
customContentbranch to wrap the sanitized HTML in a container element and then return that element (plus optional checkmark) instead of a raw string. - Modify
_createItemto:- Clear
itemcontent (e.g.,item.innerHTML = ''). - Append
iconElementif present. - Append
contentElement. - Append checkmark (using
insertAdjacentHTMLfor the existing SVG string or by constructing a node).
- Clear
No new imports are needed; we only use standard DOM APIs and the already-imported sanitizeHtml helper.
New custom select menu built on form controls and dropdowns. Needs one more pass because I think I want to rename this from CustomSelect to SelectMenu or something more natural—everything here is custom.