I saw you were fixing a couple of html injections in the last build (for example #1554 and also in b-tab).

I just noticed it is still possible to inject html into form-groups valid/invalid feedback properties in 2.0.0-rc2. So if you have an error like "xy is not a valid email address" it is possible to inject html into the invalid email address.

Perhaps this is by design though. Feel free to close if this is the case.

Example:

<b-form-group invalid-feedback="<h1 onclick=&quot;alert('injected');&quot;>Click me</h1>" class="was-validated"> <b-form-input type="text" required/> </b-form-group>