big-bro-watches-everything/devstar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Forbid HTML string tooltips (#20935)

repo.diff.browse_source 
Tippy allows HTML strings to be passed as content but we do not use this
feature (we do pass HTML only as Element), so it's better to disable it
for increased security.

Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
This commit is contained in:
silverwind
2022-08-23 22:17:42 +02:00
repo.diff.committed_by GitHub
repo.diff.parent aa2e473991
repo.diff.commit 2b0093cb9f
repo.diff.stats_desc%!(EXTRA int=1, int=1, int=1)
repo.diff.download_patch repo.diff.download_diff Expand all files Collapse all files

2
web_src/js/modules/tippy.js
repo.diff.view_file

@@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
appendTo: document.body,
placement: 'top-start',
animation: false,
allowHTML: true,
allowHTML: false,
maxWidth: 500, // increase over default 350px
arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
...(opts?.role && {theme: opts.role}),