SECURITY: prevents XSS when showing tooltip

This commit is contained in:
Joffrey JAFFEUX 2018-06-27 14:35:47 +02:00
parent 6bcdc3ba4b
commit b5b847f6d6

View File

@ -1,9 +1,11 @@
import { escapeExpression } from "discourse/lib/utilities";
export function showTooltip() { export function showTooltip() {
const fadeSpeed = 300; const fadeSpeed = 300;
const tooltipID = "#discourse-tooltip"; const tooltipID = "#discourse-tooltip";
const $this = $(this); const $this = $(this);
const $parent = $this.offsetParent(); const $parent = $this.offsetParent();
const content = $this.attr("data-tooltip"); const content = escapeExpression($this.attr("data-tooltip"));
const retina = const retina =
window.devicePixelRatio && window.devicePixelRatio > 1 window.devicePixelRatio && window.devicePixelRatio > 1
? "class='retina'" ? "class='retina'"