From 2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45 Mon Sep 17 00:00:00 2001 From: silverwind Date: Tue, 23 Aug 2022 22:17:42 +0200 Subject: [PATCH] Forbid HTML string tooltips (#20935) Tippy allows HTML strings to be passed as content but we do not use this feature (we do pass HTML only as Element), so it's better to disable it for increased security. Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string --- web_src/js/modules/tippy.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web_src/js/modules/tippy.js b/web_src/js/modules/tippy.js index 6f3adaddd..44e97e2a0 100644 --- a/web_src/js/modules/tippy.js +++ b/web_src/js/modules/tippy.js @@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) { appendTo: document.body, placement: 'top-start', animation: false, - allowHTML: true, + allowHTML: false, maxWidth: 500, // increase over default 350px arrow: ``, ...(opts?.role && {theme: opts.role}),