mirror of https://github.com/zulip/zulip.git
46e562f990
Bootstrap v2.2.0^2~40^2~6 changes this default to false, so this is a prerequisite to upgrading Bootstrap, and it’s also safer. This closes an HTML injection path via user full names in the emoji reaction tooltip. It doesn’t appear to be exploitable for cross-site scripting because we disallow `>` in full names, and the code happens to be written such that the next `>` is in a different parser invocation. Signed-off-by: Anders Kaseorg <anders@zulipchat.com> |
||
---|---|---|
.. | ||
bootstrap.js |