CVE-2023-33186: Fix topic tooltip cross-site scripting vulnerability.

Commit 903dbda79b (#25370) introduced a
cross-site scripting vulnerability in the tooltips for the stream and
topic in the recipient bar.  An attacker who can send messages could
maliciously craft a topic for the message, such that a victim who
hovers the tooltip for that topic in their message feed triggers
execution of JavaScript code controlled by the attacker.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

web/src/tippyjs.js

@@ -4,6 +4,7 @@ import tippy, {delegate} from "tippy.js";
 
 import render_message_inline_image_tooltip from "../templates/message_inline_image_tooltip.hbs";
 import render_narrow_to_compose_recipients_tooltip from "../templates/narrow_to_compose_recipients_tooltip.hbs";
+import render_narrow_tooltip from "../templates/narrow_tooltip.hbs";
 import render_tooltip_templates from "../templates/tooltip_templates.hbs";
 
 import * as compose_recipient from "./compose_recipient";
@@ -189,8 +190,9 @@ export function initialize() {
     message_list_tooltip(".tippy-narrow-tooltip", {
         delay: LONG_HOVER_DELAY,
         onCreate(instance) {
-            const content = instance.props.content + $("#narrow-hotkey-tooltip-template").html();
+            instance.setContent(
-            instance.setContent(parse_html(content));
+                parse_html(render_narrow_tooltip({content: instance.props.content})),
+            );
         },
     });
 

web/templates/narrow_tooltip.hbs

@@ -0,0 +1,2 @@
+{{content}}
+{{tooltip_hotkey_hints "S"}}

web/templates/tooltip_templates.hbs

@@ -2,9 +2,6 @@
     {{t 'View user card' }}
     {{tooltip_hotkey_hints "U"}}
 </template>
-<template id="narrow-hotkey-tooltip-template">
-    {{tooltip_hotkey_hints "S"}}
-</template>
 <template id="compose_draft_tooltip_template">
     {{t 'Drafts' }}
     {{tooltip_hotkey_hints "D"}}