zulip

History

Anders Kaseorg 46e562f990 bootstrap: Change tooltip html default to false. Bootstrap v2.2.0^2~40^2~6 changes this default to false, so this is a prerequisite to upgrading Bootstrap, and it’s also safer. This closes an HTML injection path via user full names in the emoji reaction tooltip. It doesn’t appear to be exploitable for cross-site scripting because we disallow `>` in full names, and the code happens to be written such that the next `>` is in a different parser invocation. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>	2019-09-19 20:53:10 -07:00
..
css	api docs: Move json-api-example css to portico.scss.	2019-02-08 07:42:32 -08:00
js	bootstrap: Change tooltip html default to false.	2019-09-19 20:53:10 -07:00

Anders Kaseorg 46e562f990 bootstrap: Change tooltip html default to false.

Bootstrap v2.2.0^2~40^2~6 changes this default to false, so this is a
prerequisite to upgrading Bootstrap, and it’s also safer.

This closes an HTML injection path via user full names in the emoji
reaction tooltip.  It doesn’t appear to be exploitable for cross-site
scripting because we disallow `>` in full names, and the code happens
to be written such that the next `>` is in a different parser
invocation.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>

2019-09-19 20:53:10 -07:00

css

api docs: Move json-api-example css to portico.scss.

2019-02-08 07:42:32 -08:00

bootstrap: Change tooltip html default to false.

2019-09-19 20:53:10 -07:00