bootstrap: Change tooltip html default to false.

Bootstrap v2.2.0^2~40^2~6 changes this default to false, so this is a
prerequisite to upgrading Bootstrap, and it’s also safer.

This closes an HTML injection path via user full names in the emoji
reaction tooltip.  It doesn’t appear to be exploitable for cross-site
scripting because we disallow `>` in full names, and the code happens
to be written such that the next `>` is in a different parser
invocation.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

static/js/emoji_picker.js

@@ -598,6 +598,7 @@ exports.render_emoji_popover = function (elt, id) {
         template: template,
         title: "",
         content: generate_emoji_picker_content(id),
+        html: true,
         trigger: "manual",
     });
     elt.popover("show");

static/js/popovers.js

@@ -206,6 +206,7 @@ function render_user_info_popover(user, popover_element, is_sender_popover, priv
             user_avatar: "avatar/" + user.email,
             user_is_guest: user.is_guest,
         }),
+        html: true,
         trigger: "manual",
         top_offset: 100,
         fix_positions: true,
@@ -266,6 +267,7 @@ function show_mobile_message_buttons_popover(element) {
         content: render_mobile_message_buttons_popover_content({
             is_in_private_narrow: narrow_state.narrowed_to_pms(),
         }),
+        html: true,
         trigger: "manual",
     });
     $element.popover("show");
@@ -383,6 +385,7 @@ function show_user_group_info_popover(element, group, message) {
             placement: calculate_info_popover_placement(popover_size, elt),
             template: render_user_group_info_popover({class: "message-info-popover"}),
             content: render_user_group_info_popover_content(args),
+            html: true,
             trigger: "manual",
         });
         elt.popover("show");
@@ -481,6 +484,7 @@ exports.toggle_actions_popover = function (element, id) {
             placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom',
             title: "",
             content: render_actions_popover_content(args),
+            html: true,
             trigger: "manual",
         });
         elt.popover("show");
@@ -504,6 +508,7 @@ exports.render_actions_remind_popover = function (element, id) {
             placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom',
             title: "",
             content: render_remind_me_popover_content(args),
+            html: true,
             trigger: "manual",
         });
         elt.popover("show");

static/js/stats/stats.js

@@ -75,7 +75,6 @@ $(function tooltips() {
     $('span[data-toggle="tooltip"]').tooltip({
         animation: false,
         placement: 'top',
-        html: true,
         trigger: 'manual',
     });
     $('#id_last_update_question_sign').hover(function () {

static/js/stream_create.js

@@ -439,6 +439,7 @@ exports.set_up_handlers = function () {
             placement: "right",
             content: render_announce_stream_docs({
                 notifications_stream: page_params.notifications_stream}),
+            html: true,
             trigger: "manual"});
         announce_stream_docs.popover('show');
         announce_stream_docs.data('popover').tip().css('z-index', 2000);

static/js/stream_popover.js

@@ -133,6 +133,7 @@ function build_stream_popover(opts) {
 
     $(elt).popover({
         content: content,
+        html: true,
         trigger: "manual",
         fixed: true,
         fix_positions: true,
@@ -184,6 +185,7 @@ function build_topic_popover(opts) {
 
     $(elt).popover({
         content: content,
+        html: true,
         trigger: "manual",
         fixed: true,
     });
@@ -209,6 +211,7 @@ function build_all_messages_popover(e) {
 
     $(elt).popover({
         content: content,
+        html: true,
         trigger: "manual",
         fixed: true,
     });
@@ -237,6 +240,7 @@ function build_starred_messages_popover(e) {
 
     $(elt).popover({
         content: content,
+        html: true,
         trigger: "manual",
         fixed: true,
     });

static/js/stream_ui_updates.js

@@ -28,8 +28,8 @@ exports.initialize_disable_btn_hint_popover = function (btn_wrapper, popover_btn
     disabled_btn.css("pointer-events", "none");
     popover_btn.popover({
         placement: "bottom",
-        content: "<div class='sub_disable_btn_hint'>%s</div>".replace(
-            '%s', hint_text),
+        content: $("<div>", {class: "sub_disable_btn_hint"}).text(hint_text)
+            .prop("outerHTML"),
         trigger: "manual",
         html: true,
         animation: false,

static/third/bootstrap/js/bootstrap.js

@@ -1443,7 +1443,7 @@
   , trigger: 'hover'
   , title: ''
   , delay: 0
-  , html: true
+  , html: false
   , fixed: false
   }
 

templates/analytics/stats.html

@@ -101,7 +101,7 @@
 
         <div class="last-update">
             {{ _("Last update") }}: <span id="id_last_full_update"></span>
-            <span data-toggle="tooltip" class="last_update_tooltip" title="{% trans %}A full update of all the graphs happens once a day.<br/>The “Messages Sent Over Time” graph is updated once an hour.{% endtrans %}">
+            <span data-toggle="tooltip" class="last_update_tooltip" data-html="true" title="{% trans %}A full update of all the graphs happens once a day.<br/>The “Messages Sent Over Time” graph is updated once an hour.{% endtrans %}">
                 <span class="fa fa-info-circle" id="id_last_update_question_sign"></span>
             </span>
             <br />