Forbid HTML string tooltips (#20935)

Tippy allows HTML strings to be passed as content but we do not use this feature (we do pass HTML only as Element), so it's better to disable it for increased security. Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
2022-08-23 22:17:42 +02:00
parent aa2e473991
commit 2b0093cb9f
1 changed files with 1 additions and 1 deletions
--- a/web_src/js/modules/tippy.js
+++ b/web_src/js/modules/tippy.js
@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
    appendTo: document.body,
    placement: 'top-start',
    animation: false,
-    allowHTML: true,
+    allowHTML: false,
    maxWidth: 500, // increase over default 350px
    arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
    ...(opts?.role && {theme: opts.role}),