diff options
| author | silverwind <me@silverwind.io> | 2022-08-23 22:17:42 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-23 16:17:42 -0400 |
| commit | 2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45 (patch) | |
| tree | 3d7dfecfeec7c00b16a30799608bd345d559d8b3 /web_src | |
| parent | aa2e47399158ea5958638f5bb5f89967054bf48e (diff) | |
| download | gitea-2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45.tar.gz gitea-2b0093cb9f5ef3bfdc1eaec6edd3c7b3752fcd45.zip | |
Forbid HTML string tooltips (#20935)
Tippy allows HTML strings to be passed as content but we do not use this
feature (we do pass HTML only as Element), so it's better to disable it
for increased security.
Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
Diffstat (limited to 'web_src')
| -rw-r--r-- | web_src/js/modules/tippy.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/web_src/js/modules/tippy.js b/web_src/js/modules/tippy.js index 6f3adadddc..44e97e2a0f 100644 --- a/web_src/js/modules/tippy.js +++ b/web_src/js/modules/tippy.js @@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) { appendTo: document.body, placement: 'top-start', animation: false, - allowHTML: true, + allowHTML: false, maxWidth: 500, // increase over default 350px arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`, ...(opts?.role && {theme: opts.role}), |