Prevent getSelector from returning URLs as selector

[RoflCopter24]

As discussed in issue #32273 the Dropdown and Scrollspy Modules crash with Uncaught DOMException: Failed to execute 'querySelector' on 'Document': 'foo/bar.html' is not a valid selector when there happens to be an actual URL in the href.

The culprit seems to be, that

bootstrap/js/src/util/index.js

Lines 35 to 45 in 9b7bb7b

	const getSelector = element => {
	let selector = element.getAttribute('data-bs-target')
	if (!selector || selector === '#') {
	const hrefAttr = element.getAttribute('href')
	selector = hrefAttr && hrefAttr !== '#' ? hrefAttr.trim() : null
	}
	return selector
	}

does no checks if that href contains a valid selector.

This pull request aims to prevent that case by adding conditions that only allow class selectors (.target) and anchors/IDs (#target) to be returned as selectors, thus preventing crashes caused by real URLs.

Fixes #32273

[rohit2sharma95]

It restricts the user to use only the class and id selectors in the href attribute. This restriction was not before 🤔

[RoflCopter24]

I do not see a problem there. I did not find any mention in the documentation, that anything other than IDs in the href are even supported.

Considering that that freedom for using invalid hrefs as selectors was exactly what caused problems and lead to this PR (and this is the big jump to v5), I think this would be the last opportunity to make such a change before possibly a myriad of users starts misusing the href in that way.

Besides, that's what the data-bs-target attribute is for, right? (which is encouraged everywhere in the docs)

[XhmikosR]

Actually, this would fix the issue we have. I guess it's a good solution for v5. We can revisit in v6.

[rohit2sharma95]

The comment on line 41 is a little bit misleading, id selector does not start with a dot (.).
So this comment should be removed IMO. 🤔