mirror of https://github.com/go-gitea/gitea.git
Forbid HTML string tooltips (#20935)
Tippy allows HTML strings to be passed as content but we do not use this feature (we do pass HTML only as Element), so it's better to disable it for increased security. Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
This commit is contained in:
parent
aa2e473991
commit
2b0093cb9f
|
@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
|
||||||
appendTo: document.body,
|
appendTo: document.body,
|
||||||
placement: 'top-start',
|
placement: 'top-start',
|
||||||
animation: false,
|
animation: false,
|
||||||
allowHTML: true,
|
allowHTML: false,
|
||||||
maxWidth: 500, // increase over default 350px
|
maxWidth: 500, // increase over default 350px
|
||||||
arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
|
arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
|
||||||
...(opts?.role && {theme: opts.role}),
|
...(opts?.role && {theme: opts.role}),
|
||||||
|
|
Loading…
Reference in New Issue