From 0b169562ba8cdde02efd45a4914961a1fc0f116a Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Tue, 23 Aug 2022 22:17:42 +0200
Subject: [PATCH] Forbid HTML string tooltips (#20935)

Tippy allows HTML strings to be passed as content but we do not use this
feature (we do pass HTML only as Element), so it's better to disable it
for increased security.

Ref: https://atomiks.github.io/tippyjs/v6/html-content/#string
---
 web_src/js/modules/tippy.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web_src/js/modules/tippy.js b/web_src/js/modules/tippy.js
index 6f3adadddc104..44e97e2a0fd4b 100644
--- a/web_src/js/modules/tippy.js
+++ b/web_src/js/modules/tippy.js
@@ -5,7 +5,7 @@ export function createTippy(target, opts = {}) {
     appendTo: document.body,
     placement: 'top-start',
     animation: false,
-    allowHTML: true,
+    allowHTML: false,
     maxWidth: 500, // increase over default 350px
     arrow: `<svg width="16" height="7"><path d="m0 7 8-7 8 7Z" class="tippy-svg-arrow-outer"/><path d="m0 8 8-7 8 7Z" class="tippy-svg-arrow-inner"/></svg>`,
     ...(opts?.role && {theme: opts.role}),