bootstrap: Change tooltip html default to false.

Bootstrap v2.2.0^2~40^2~6 changes this default to false, so this is a prerequisite to upgrading Bootstrap, and it’s also safer. This closes an HTML injection path via user full names in the emoji reaction tooltip. It doesn’t appear to be exploitable for cross-site scripting because we disallow `>` in full names, and the code happens to be written such that the next `>` is in a different parser invocation. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2025-11-03 13:33:24 +00:00 · 2019-09-17 14:54:52 -07:00
parent cf5a00d94b
commit 46e562f990
8 changed files with 15 additions and 5 deletions
--- a/static/js/stream_ui_updates.js
+++ b/static/js/stream_ui_updates.js
@@ -28,8 +28,8 @@ exports.initialize_disable_btn_hint_popover = function (btn_wrapper, popover_btn
    disabled_btn.css("pointer-events", "none");
    popover_btn.popover({
        placement: "bottom",
-        content: "<div class='sub_disable_btn_hint'>%s</div>".replace(
-            '%s', hint_text),
+        content: $("<div>", {class: "sub_disable_btn_hint"}).text(hint_text)
+            .prop("outerHTML"),
        trigger: "manual",
        html: true,
        animation: false,