detect if title in tooltip is text or html. if text - use text method to prevent xss.

all add a few notes to js readme about updated event

js/README.md

@@ -5,7 +5,7 @@ These are the high-level design rules which guide the development of Bootstrap's
 
 ### DATA-ATTRIBUTE API
 
-We believe you should be able to use all plugins provided by Bootstrap purely through the markup API without writing a single line of javascript.
+We believe you should be able to use all plugins provided by Bootstrap purely through the markup API without writing a single line of javascript. This is bootstraps first class api.
 
 We acknowledge that this isn't always the most performant and sometimes it may be desirable to turn this functionality off altogether. Therefore, as of 2.0 we provide the ability to disable the data attribute API by unbinding all events on the body namespaced with `'data-api'`. This looks like this:
 
@@ -29,7 +29,7 @@ All methods should accept an optional options object, a string which targets a p
 
     $("#myModal").modal() // initialized with defaults
     $("#myModal").modal({ keyboard: false }) // initialized with no keyboard
-    $("#myModal").modal('show') // initializes and invokes show immediately afterqwe2
+    $("#myModal").modal('show') // initializes and invokes show immediately
 
 ---
 
@@ -60,6 +60,12 @@ All events should have an infinitive and past participle form. The infinitive is
     show | shown
     hide | hidden
 
+All infinitive events should provide preventDefault functionality. This provides the abililty to stop the execution of an action.
+
+    $('#myModal').on('show', function (e) {
+        if (!data) return e.preventDefault() // stops modal from being shown
+    })
+
 ---
 
 ### CONSTRUCTORS

js/bootstrap-tooltip.js

@@ -155,9 +155,21 @@
       }
     }
 
+  , isHTML: function( text ) {
+      // html string detection logic adapted from jQuery
+      return typeof text != 'string'
+        || ( text.charAt(0) === "<"
+          && text.charAt( text.length - 1 ) === ">"
+          && text.length >= 3
+        ) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text)
+    }
+
   , setContent: function () {
       var $tip = this.tip()
-      $tip.find('.tooltip-inner').html(this.getTitle())
+        , title = this.getTitle()
+        , isHTML = this.isHTML(title)
+
+      $tip.find('.tooltip-inner')[isHTML ? 'html' : 'text'](title)
       $tip.removeClass('fade in top bottom left right')
     }
 

js/tests/unit/bootstrap-tooltip.js

@@ -59,4 +59,28 @@ $(function () {
         ok(!$(".tooltip").length, 'tooltip removed')
       })
 
+      test("should detect if title string is html or text: foo", function () {
+        ok(!$.fn.tooltip.Constructor.prototype.isHTML('foo'), 'correctly detected html')
+      })
+
+      test("should detect if title string is html or text: <foo>", function () {
+        ok(!$.fn.tooltip.Constructor.prototype.isHTML('<foo>'), 'correctly detected html')
+      })
+
+      test("should detect if title string is html or text: <div>foo</div>", function () {
+        ok($.fn.tooltip.Constructor.prototype.isHTML('<div>foo</div>'), 'correctly detected html')
+      })
+
+      test("should detect if title string is html or text: asdfa&lt;div>foo&lt;/div>asdfasdf", function () {
+        ok($.fn.tooltip.Constructor.prototype.isHTML('asdfa<div>foo</div>asdfasdf'), 'correctly detected html')
+      })
+
+      test("should detect if title string is html or text: document.createElement('div')", function () {
+        ok($.fn.tooltip.Constructor.prototype.isHTML(document.createElement('div')), 'correctly detected html')
+      })
+
+      test("should detect if title string is html or text: $('&lt;div />)", function () {
+        ok($.fn.tooltip.Constructor.prototype.isHTML($('<div></div>')), 'correctly detected html')
+      })
+
 })