Angular 1.7 breaks close button

[dmudro]

Bug description:

Angular 1.7 inserts unsafe: string in href attribute when it contains href="javascript:" . This breaks the close button in tags when using mutliple attribute in FF, Edge (and potentially other browsers).

Check out the close button href value in /src/select2/match-multiple.tpl.html:
<a href="javascript:;" class="ui-select-match-close select2-search-choice-close"...

The workaround is to whitelist javascript: in href globally:
https://anotherdevblog.com/2018/06/27/angularjs-adds-unsafe-before-links/

Link to minimally-working plunker that reproduces the issue:

http://plnkr.co/edit/czeDNT8blND3tz3mYkET?p=preview

Version of Angular, UI-Select, and Bootstrap/Select2/Selectize CSS

Angular: 1.7.0+
UI-Select: 0.19.8

[dmudro]

There is a cleaner workaround without compromising security.

By forking the select2 templates and providing the path as custom theme in the config, the ng template engine will pick up fixed html:
uiSelectConfig.theme = 'path/to/fixed-ui-select-templates-without-javascript-in-href';