Tabs: Use CSS.escape for sanitizing selectors

[mgol]

The previous private _sanitizeSelector API was not correctly escaping backslashes and is now removed. The native API should always be correct.

[mgol]

@fnagel It's internal only so I thought we can just remove it. Or should we be conservative & only deprecate in 1.14? I don't know how jQuery UI historically approached removing private widget methods.

[mgol]

I see there's at least one case of $.fn._focus getting renamed to $.fn.focus between 1.10.1 & 1.10.2: 1.10.1...1.10.2

[fnagel]

Ohh that is in indeed a good question. Iirc Scott would not make a big thing of changing internal methods but I'm not really sure.

Why not just keep the $.fn._sanitizeSelector $.ui.tabs.prototype._sanitizeSelector until the next minor release but make it use CSS.escape?

[fnagel]

Just seen its not $.fn but $.ui.tabs so it's even more specific (as in Tabs widget only). Not sure if its worth keeping the old method around...

[mgol]

OK, I'll keep it removed then. There's no universal way to sanitize the whole selector; the safe thing to do is to just escape the identifier part, especially when potentially coming from user input. Even if I changed the internal method to use CSS.escape, it would just handle the "# + id" case, which can be confusing and can still lead people to use it where it's not intended.