Echoing a wrong statement doesn't make it any less wrong.
If you don't want XSS, don't echo untrusted raw user input to the browser. Not in the title tag, not in a paragraph body, not in a data attribute. It's on you, or your application framework. Expecting Bootstrap to combat it is insane.
If you don't want XSS, don't echo untrusted raw user input to the browser. Not in the title tag, not in a paragraph body, not in a data attribute. It's on you, or your application framework. Expecting Bootstrap to combat it is insane.