Forbid HTML string tooltips (go-gitea#20935)

Tippy allows HTML strings to be passed as content but we do not use this feature (we do pass HTML only as Element), so it's better to disable it for increased security. Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
IntegraSDL · Aug 28, 2022 · 0b16956 · 0b16956
1 parent cc3a6fb
commit 0b16956
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/web_src/js/modules/tippy.js b/web_src/js/modules/tippy.js
@@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
     appendTo: document.body,
     placement: 'top-start',
     animation: false,
-    allowHTML: true,
+    allowHTML: false,
     maxWidth: 500, // increase over default 350px
     arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
     ...(opts?.role && {theme: opts.role}),