Forbid HTML string tooltips (#20935)

Tippy allows HTML strings to be passed as content but we do not use this feature (we do pass HTML only as Element), so it's better to disable it for increased security. Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
author: silverwind <me@silverwind.io> 2022-08-23 22:17:42 +0200
committer: GitHub <noreply@github.com> 2022-08-23 16:17:42 -0400
commit: 2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45 (patch)
tree: 3d7dfecfeec7c00b16a30799608bd345d559d8b3
parent: aa2e47399158ea5958638f5bb5f89967054bf48e (diff)
download: gitea-2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45.tar.gz
gitea-2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/web_src/js/modules/tippy.js b/web_src/js/modules/tippy.js
index 6f3adadddc..44e97e2a0f 100644
--- a/web_src/js/modules/tippy.js
+++ b/web_src/js/modules/tippy.js
@@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
     appendTo: document.body,
     placement: 'top-start',
     animation: false,
-    allowHTML: true,
+    allowHTML: false,
     maxWidth: 500, // increase over default 350px
     arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
     ...(opts?.role && {theme: opts.role}),
author	silverwind <me@silverwind.io>	2022-08-23 22:17:42 +0200
committer	GitHub <noreply@github.com>	2022-08-23 16:17:42 -0400
commit	2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45 (patch)
tree	3d7dfecfeec7c00b16a30799608bd345d559d8b3
parent	aa2e47399158ea5958638f5bb5f89967054bf48e (diff)
download	gitea-2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45.tar.gz gitea-2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45.zip