Replies: 2 comments
-
|
In the next version, the tooltips doesn't render HTML by default: https://github.com/Akryum/v-tooltip/blob/v3.0/src/config.js#L33 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Awesome! Do you have an eta when this will be released? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've just been notified of a possible xss attack in my application which was related to the way I was using
v-tooltipto show some information based on user input. As it turns out, there's an option to preventv-tooltipfrom rendering passed content as html, but it just renders all content as html by default you throw at it.IMHO, this is bad. It should not take me more work to write secure code than insecure code if it is possible to do this (and
v-tooltipis in a good position to prevent me from that). All template engines and web frameworks (not only vue js) make you go and extra mile if you want to render html from a variable. Not so much v-tooltip which just assumes html all the time. I know there is documentation, but I also know from my own projects you can't expect users to read through all of your documentation. Most users just scan the readme to know if the thing does what they want and then use it. This is also bad considering the "default" for users of vue js is not to assume that stuff passed as an attribute to a component renders as html.</rant>Going forward, I propose one of the two following changes and would be happy to send PRs for them, if this is generally desired:
v-tooltipstrings as html by default. I know this is a breaking change therefore option 1 may be better suited for now. At least for a possible next version (maybe with vue 3?) this should be seriously considered.Beta Was this translation helpful? Give feedback.
All reactions