sanitize template option for tooltip/popover plugins

[Johann-S]

XSS was possible in the tooltip or popover data-template, data-content and data-title attributes.

Fixes CVE-2019-8331.

[XhmikosR]

@MarkCarver: you need to tone down the discussion.

[Johann-S]

Ok things I have to do:

• Update the docs
• Sanitize title and content if html is at true
• Not allowing sanitize to be set by data attributes in HTML

And I think it'll be good, do not hesite @MarkCarver if you have any feedbacks, I think I heard you 👍

[markhalliwell]

I think the title option still needs to be sanitized, didn't see that in the latest code changes yet.

[markhalliwell]

• Not allowing sanitize to be set by data attributes in HTML

Not allowing sanitize or whiteList to be set by data attributes in HTML

[Johann-S]

The title is sanitized by the same methods which sanitized content

[markhalliwell]

Ah, you're right. Forgot that BS4 added setElementContent.

[markhalliwell]

Just that tiny doc nit, but other than that I think this looks good!

@Johann-S++

Ty and amazing work!