Commit 903dbda79b (#25370) introduced a
cross-site scripting vulnerability in the tooltips for the stream and
topic in the recipient bar. An attacker who can send messages could
maliciously craft a topic for the message, such that a victim who
hovers the tooltip for that topic in their message feed triggers
execution of JavaScript code controlled by the attacker.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
Added hotkey hint to Narrow to stream/topic/DM tooltips by creating
new tippy for `tippy-narrow-tooltip` with LONG_HOVER_DELAY which
appends `S` hotkey to the existing tippy content set by
data-tippy-content attribute on the element.
Using this approach instead of a <template> with
data-tooltip-template-id avoids issues with context, where
{display_recipient}/{topic}/{display_reply_to} inside <template>
would always show the same stream/topic name regardless of the
actual stream/topic being hovered over.
tyler
Anders Kaseorg
Daniil Fadeev
Hardik Dharmani
Tim Abbott