You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First, thanks for creating this very useful project.
I noticed that it is currently not easily possible to safely put user-generated content into v-tooltip, because the popper option html is always true and I cannot seem to override it. E.g. if you have code such as v-tooltip="user.name", users would be able to enter a name such as <b>Example</b> or worse, leading to XSS vulnerabilities.
I tried the following approaches, but none of them helped:
install VTooltip with { defaultPopperOptions: { html: false } } using Vue.use
I would expect at least the first two options to work.
Right now, the only way seems to be
either to manually sanitize the input text using e.g. the DOM API,
or to use v-popover instead, which is much more complicated compared to v-tooltip.
Personally, I think that the most straightforward way to use v-tooltip (just using the directive attribute) should also be "safe by default". Or is there maybe another simple way to achieve what I am looking for?
The text was updated successfully, but these errors were encountered:
First, thanks for creating this very useful project.
I noticed that it is currently not easily possible to safely put user-generated content into
v-tooltip, because the popper optionhtmlis alwaystrueand I cannot seem to override it. E.g. if you have code such asv-tooltip="user.name", users would be able to enter a name such as<b>Example</b>or worse, leading to XSS vulnerabilities.I tried the following approaches, but none of them helped:
VTooltipwith{ defaultPopperOptions: { html: false } }usingVue.usev-tooltip="{ popperOptions: { html: false }, content: user.name }"v-tooltip="{ html: false, content: user.name }"I would expect at least the first two options to work.
Right now, the only way seems to be
v-popoverinstead, which is much more complicated compared tov-tooltip.Personally, I think that the most straightforward way to use
v-tooltip(just using the directive attribute) should also be "safe by default". Or is there maybe another simple way to achieve what I am looking for?The text was updated successfully, but these errors were encountered: