mirror of https://github.com/zulip/zulip.git
bootstrap: Change tooltip html default to false.
Bootstrap v2.2.0^2~40^2~6 changes this default to false, so this is a prerequisite to upgrading Bootstrap, and it’s also safer. This closes an HTML injection path via user full names in the emoji reaction tooltip. It doesn’t appear to be exploitable for cross-site scripting because we disallow `>` in full names, and the code happens to be written such that the next `>` is in a different parser invocation. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
Tim Abbott
parent
cf5a00d94b
commit
46e562f990
|
|
@ -598,6 +598,7 @@ exports.render_emoji_popover = function (elt, id) {
|
||||||
template: template,
|
template: template,
|
||||||
title: "",
|
title: "",
|
||||||
content: generate_emoji_picker_content(id),
|
content: generate_emoji_picker_content(id),
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
});
|
});
|
||||||
elt.popover("show");
|
elt.popover("show");
|
||||||
|
|
|
||||||
|
|
@ -206,6 +206,7 @@ function render_user_info_popover(user, popover_element, is_sender_popover, priv
|
||||||
user_avatar: "avatar/" + user.email,
|
user_avatar: "avatar/" + user.email,
|
||||||
user_is_guest: user.is_guest,
|
user_is_guest: user.is_guest,
|
||||||
}),
|
}),
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
top_offset: 100,
|
top_offset: 100,
|
||||||
fix_positions: true,
|
fix_positions: true,
|
||||||
|
|
@ -266,6 +267,7 @@ function show_mobile_message_buttons_popover(element) {
|
||||||
content: render_mobile_message_buttons_popover_content({
|
content: render_mobile_message_buttons_popover_content({
|
||||||
is_in_private_narrow: narrow_state.narrowed_to_pms(),
|
is_in_private_narrow: narrow_state.narrowed_to_pms(),
|
||||||
}),
|
}),
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
});
|
});
|
||||||
$element.popover("show");
|
$element.popover("show");
|
||||||
|
|
@ -383,6 +385,7 @@ function show_user_group_info_popover(element, group, message) {
|
||||||
placement: calculate_info_popover_placement(popover_size, elt),
|
placement: calculate_info_popover_placement(popover_size, elt),
|
||||||
template: render_user_group_info_popover({class: "message-info-popover"}),
|
template: render_user_group_info_popover({class: "message-info-popover"}),
|
||||||
content: render_user_group_info_popover_content(args),
|
content: render_user_group_info_popover_content(args),
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
});
|
});
|
||||||
elt.popover("show");
|
elt.popover("show");
|
||||||
|
|
@ -481,6 +484,7 @@ exports.toggle_actions_popover = function (element, id) {
|
||||||
placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom',
|
placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom',
|
||||||
title: "",
|
title: "",
|
||||||
content: render_actions_popover_content(args),
|
content: render_actions_popover_content(args),
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
});
|
});
|
||||||
elt.popover("show");
|
elt.popover("show");
|
||||||
|
|
@ -504,6 +508,7 @@ exports.render_actions_remind_popover = function (element, id) {
|
||||||
placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom',
|
placement: message_viewport.height() - ypos < 220 ? 'top' : 'bottom',
|
||||||
title: "",
|
title: "",
|
||||||
content: render_remind_me_popover_content(args),
|
content: render_remind_me_popover_content(args),
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
});
|
});
|
||||||
elt.popover("show");
|
elt.popover("show");
|
||||||
|
|
|
||||||
|
|
@ -75,7 +75,6 @@ $(function tooltips() {
|
||||||
$('span[data-toggle="tooltip"]').tooltip({
|
$('span[data-toggle="tooltip"]').tooltip({
|
||||||
animation: false,
|
animation: false,
|
||||||
placement: 'top',
|
placement: 'top',
|
||||||
html: true,
|
|
||||||
trigger: 'manual',
|
trigger: 'manual',
|
||||||
});
|
});
|
||||||
$('#id_last_update_question_sign').hover(function () {
|
$('#id_last_update_question_sign').hover(function () {
|
||||||
|
|
|
||||||
|
|
@ -439,6 +439,7 @@ exports.set_up_handlers = function () {
|
||||||
placement: "right",
|
placement: "right",
|
||||||
content: render_announce_stream_docs({
|
content: render_announce_stream_docs({
|
||||||
notifications_stream: page_params.notifications_stream}),
|
notifications_stream: page_params.notifications_stream}),
|
||||||
|
html: true,
|
||||||
trigger: "manual"});
|
trigger: "manual"});
|
||||||
announce_stream_docs.popover('show');
|
announce_stream_docs.popover('show');
|
||||||
announce_stream_docs.data('popover').tip().css('z-index', 2000);
|
announce_stream_docs.data('popover').tip().css('z-index', 2000);
|
||||||
|
|
|
||||||
|
|
@ -133,6 +133,7 @@ function build_stream_popover(opts) {
|
||||||
|
|
||||||
$(elt).popover({
|
$(elt).popover({
|
||||||
content: content,
|
content: content,
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
fixed: true,
|
fixed: true,
|
||||||
fix_positions: true,
|
fix_positions: true,
|
||||||
|
|
@ -184,6 +185,7 @@ function build_topic_popover(opts) {
|
||||||
|
|
||||||
$(elt).popover({
|
$(elt).popover({
|
||||||
content: content,
|
content: content,
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
fixed: true,
|
fixed: true,
|
||||||
});
|
});
|
||||||
|
|
@ -209,6 +211,7 @@ function build_all_messages_popover(e) {
|
||||||
|
|
||||||
$(elt).popover({
|
$(elt).popover({
|
||||||
content: content,
|
content: content,
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
fixed: true,
|
fixed: true,
|
||||||
});
|
});
|
||||||
|
|
@ -237,6 +240,7 @@ function build_starred_messages_popover(e) {
|
||||||
|
|
||||||
$(elt).popover({
|
$(elt).popover({
|
||||||
content: content,
|
content: content,
|
||||||
|
html: true,
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
fixed: true,
|
fixed: true,
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -28,8 +28,8 @@ exports.initialize_disable_btn_hint_popover = function (btn_wrapper, popover_btn
|
||||||
disabled_btn.css("pointer-events", "none");
|
disabled_btn.css("pointer-events", "none");
|
||||||
popover_btn.popover({
|
popover_btn.popover({
|
||||||
placement: "bottom",
|
placement: "bottom",
|
||||||
content: "<div class='sub_disable_btn_hint'>%s</div>".replace(
|
content: $("<div>", {class: "sub_disable_btn_hint"}).text(hint_text)
|
||||||
'%s', hint_text),
|
.prop("outerHTML"),
|
||||||
trigger: "manual",
|
trigger: "manual",
|
||||||
html: true,
|
html: true,
|
||||||
animation: false,
|
animation: false,
|
||||||
|
|
|
||||||
|
|
@ -1443,7 +1443,7 @@
|
||||||
, trigger: 'hover'
|
, trigger: 'hover'
|
||||||
, title: ''
|
, title: ''
|
||||||
, delay: 0
|
, delay: 0
|
||||||
, html: true
|
, html: false
|
||||||
, fixed: false
|
, fixed: false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -101,7 +101,7 @@
|
||||||
|
|
||||||
<div class="last-update">
|
<div class="last-update">
|
||||||
{{ _("Last update") }}: <span id="id_last_full_update"></span>
|
{{ _("Last update") }}: <span id="id_last_full_update"></span>
|
||||||
<span data-toggle="tooltip" class="last_update_tooltip" title="{% trans %}A full update of all the graphs happens once a day.<br/>The “Messages Sent Over Time” graph is updated once an hour.{% endtrans %}">
|
<span data-toggle="tooltip" class="last_update_tooltip" data-html="true" title="{% trans %}A full update of all the graphs happens once a day.<br/>The “Messages Sent Over Time” graph is updated once an hour.{% endtrans %}">
|
||||||
<span class="fa fa-info-circle" id="id_last_update_question_sign"></span>
|
<span class="fa fa-info-circle" id="id_last_update_question_sign"></span>
|
||||||
</span>
|
</span>
|
||||||
<br />
|
<br />
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue