Forbid HTML string tooltips (#20935)

Tippy allows HTML strings to be passed as content but we do not use this
feature (we do pass HTML only as Element), so it's better to disable it
for increased security.

Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
tokarchuk/v1.18
silverwind 2 years ago committed by GitHub
parent aa2e473991
commit 2b0093cb9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 2
      web_src/js/modules/tippy.js

@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
appendTo: document.body, appendTo: document.body,
placement: 'top-start', placement: 'top-start',
animation: false, animation: false,
allowHTML: true, allowHTML: false,
maxWidth: 500, // increase over default 350px maxWidth: 500, // increase over default 350px
arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`, arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
...(opts?.role && {theme: opts.role}), ...(opts?.role && {theme: opts.role}),

Loading…
Cancel
Save