SECURITY: prevents XSS when showing tooltip

2024-11-27 00:53:39 +08:00 · 2018-06-27 14:35:47 +02:00 · 2018-06-27 14:35:47 +02:00 · b5b847f6d6
commit b5b847f6d6
parent 6bcdc3ba4b
1 changed files with 3 additions and 1 deletions
--- a/app/assets/javascripts/discourse/lib/tooltip.js.es6
+++ b/app/assets/javascripts/discourse/lib/tooltip.js.es6
@ -1,9 +1,11 @@
+import { escapeExpression } from "discourse/lib/utilities";
+
 export function showTooltip() {
  const fadeSpeed = 300;
  const tooltipID = "#discourse-tooltip";
  const $this = $(this);
  const $parent = $this.offsetParent();
-  const content = $this.attr("data-tooltip");
+  const content = escapeExpression($this.attr("data-tooltip"));
  const retina =
    window.devicePixelRatio && window.devicePixelRatio > 1
      ? "class='retina'"