Skip to content

fix(directives): render tooltip/popover content as text to prevent XSS#351

Merged
mrholek merged 1 commit into
mainfrom
fix/tooltip-popover-directive-xss
Jul 6, 2026
Merged

fix(directives): render tooltip/popover content as text to prevent XSS#351
mrholek merged 1 commit into
mainfrom
fix/tooltip-popover-directive-xss

Conversation

@mrholek

@mrholek mrholek commented Jul 5, 2026

Copy link
Copy Markdown
Member

Security fix — v-c-tooltip / v-c-popover directive XSS

Both directives wrote the binding content (and the popover header) straight into innerHTML with no sanitizer — unlike the vanilla tooltip, which sanitizes with an allow list. A value such as <img src=x onerror=…> executed.

Fix

Build the tooltip/popover structure with DOM nodes and set content via textContent, matching Bootstrap's html: false default. All documented usage passes plain-text content, so rendering is unchanged.

Regression tests added.

v-c-tooltip and v-c-popover wrote binding content (and the popover header)
straight into innerHTML with no sanitizer, so a value like
<img src=x onerror=...> executed. Build the tooltip/popover structure with
DOM nodes and set content via textContent, matching Bootstrap's html:false
default.
@mrholek mrholek merged commit 0c58bc7 into main Jul 6, 2026
3 checks passed
@mrholek mrholek deleted the fix/tooltip-popover-directive-xss branch July 6, 2026 00:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant