From 46e562f99001598c6dc74448257f6d9026c4d355 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Tue, 17 Sep 2019 14:54:52 -0700 Subject: [PATCH] bootstrap: Change tooltip html default to false. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bootstrap v2.2.0^2~40^2~6 changes this default to false, so this is a prerequisite to upgrading Bootstrap, and it’s also safer. This closes an HTML injection path via user full names in the emoji reaction tooltip. It doesn’t appear to be exploitable for cross-site scripting because we disallow `>` in full names, and the code happens to be written such that the next `>` is in a different parser invocation. Signed-off-by: Anders Kaseorg --- static/js/emoji_picker.js | 1 + static/js/popovers.js | 5 +++++ static/js/stats/stats.js | 1 - static/js/stream_create.js | 1 + static/js/stream_popover.js | 4 ++++ static/js/stream_ui_updates.js | 4 ++-- static/third/bootstrap/js/bootstrap.js | 2 +- templates/analytics/stats.html | 2 +- 8 files changed, 15 insertions(+), 5 deletions(-) diff --git a/static/js/emoji_picker.js b/static/js/emoji_picker.js index 4bf628d1d1..adeae51880 100644 --- a/static/js/emoji_picker.js +++ b/static/js/emoji_picker.js @@ -598,6 +598,7 @@ exports.render_emoji_popover = function (elt, id) { template: template, title: "", content: generate_emoji_picker_content(id), + html: true, trigger: "manual", }); elt.popover("show"); diff --git a/static/js/popovers.js b/static/js/popovers.js index a00f6c408b..22b9a3f858 100644 --- a/static/js/popovers.js +++ b/static/js/popovers.js @@ -206,6 +206,7 @@ function render_user_info_popover(user, popover_element, is_sender_popover, priv user_avatar: "avatar/" + user.email, user_is_guest: user.is_guest, }), + html: true, trigger: "manual", top_offset: 100, fix_positions: true, @@ -266,6 +267,7 @@ function show_mobile_message_buttons_popover(element) { content: render_mobile_message_buttons_popover_content({ is_in_private_narrow: narrow_state.narrowed_to_pms(), }), + html: true, trigger: "manual", }); $element.popover("show"); @@ -383,6 +385,7 @@ function show_user_group_info_popover(element, group, message) { placement: calculate_info_popover_placement(popover_size, elt), template: render_user_group_info_popover({class: "message-info-popover"}), content: render_user_group_info_popover_content(args), + html: true, trigger: "manual", }); elt.popover("show"); @@ -481,6 +484,7 @@ exports.toggle_actions_popover = function (element, id) { placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom', title: "", content: render_actions_popover_content(args), + html: true, trigger: "manual", }); elt.popover("show"); @@ -504,6 +508,7 @@ exports.render_actions_remind_popover = function (element, id) { placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom', title: "", content: render_remind_me_popover_content(args), + html: true, trigger: "manual", }); elt.popover("show"); diff --git a/static/js/stats/stats.js b/static/js/stats/stats.js index 339d815a1e..5fd9609bd1 100644 --- a/static/js/stats/stats.js +++ b/static/js/stats/stats.js @@ -75,7 +75,6 @@ $(function tooltips() { $('span[data-toggle="tooltip"]').tooltip({ animation: false, placement: 'top', - html: true, trigger: 'manual', }); $('#id_last_update_question_sign').hover(function () { diff --git a/static/js/stream_create.js b/static/js/stream_create.js index 35873430dc..3f20a72e32 100644 --- a/static/js/stream_create.js +++ b/static/js/stream_create.js @@ -439,6 +439,7 @@ exports.set_up_handlers = function () { placement: "right", content: render_announce_stream_docs({ notifications_stream: page_params.notifications_stream}), + html: true, trigger: "manual"}); announce_stream_docs.popover('show'); announce_stream_docs.data('popover').tip().css('z-index', 2000); diff --git a/static/js/stream_popover.js b/static/js/stream_popover.js index 5742d35e29..93eed147a9 100644 --- a/static/js/stream_popover.js +++ b/static/js/stream_popover.js @@ -133,6 +133,7 @@ function build_stream_popover(opts) { $(elt).popover({ content: content, + html: true, trigger: "manual", fixed: true, fix_positions: true, @@ -184,6 +185,7 @@ function build_topic_popover(opts) { $(elt).popover({ content: content, + html: true, trigger: "manual", fixed: true, }); @@ -209,6 +211,7 @@ function build_all_messages_popover(e) { $(elt).popover({ content: content, + html: true, trigger: "manual", fixed: true, }); @@ -237,6 +240,7 @@ function build_starred_messages_popover(e) { $(elt).popover({ content: content, + html: true, trigger: "manual", fixed: true, }); diff --git a/static/js/stream_ui_updates.js b/static/js/stream_ui_updates.js index 73b08e5b50..1eb7c16abb 100644 --- a/static/js/stream_ui_updates.js +++ b/static/js/stream_ui_updates.js @@ -28,8 +28,8 @@ exports.initialize_disable_btn_hint_popover = function (btn_wrapper, popover_btn disabled_btn.css("pointer-events", "none"); popover_btn.popover({ placement: "bottom", - content: "
%s
".replace( - '%s', hint_text), + content: $("
", {class: "sub_disable_btn_hint"}).text(hint_text) + .prop("outerHTML"), trigger: "manual", html: true, animation: false, diff --git a/static/third/bootstrap/js/bootstrap.js b/static/third/bootstrap/js/bootstrap.js index 0c16179942..71174d9e09 100644 --- a/static/third/bootstrap/js/bootstrap.js +++ b/static/third/bootstrap/js/bootstrap.js @@ -1443,7 +1443,7 @@ , trigger: 'hover' , title: '' , delay: 0 - , html: true + , html: false , fixed: false } diff --git a/templates/analytics/stats.html b/templates/analytics/stats.html index c0f6d34346..449f4a25da 100644 --- a/templates/analytics/stats.html +++ b/templates/analytics/stats.html @@ -101,7 +101,7 @@
{{ _("Last update") }}: - +