Skip to content

B
bootstrap
Commit f8364731 authored by Jacob Thornton's avatar Jacob Thornton
Browse files
Options

add html option back to tooltip and popover to explicitly prevent XSS #3421

parent fc96bc8b
Expand all Show whitespace changes
Inline Side-by-side
Showing with 37 additions and 37 deletions
docs/assets/js/bootstrap-popover.js
View file @ f8364731
...@@ -43,8 +43,8 @@ ...@@ -43,8 +43,8 @@
, title = this.getTitle() , title = this.getTitle()
, content = this.getContent() , content = this.getContent()
$tip.find('.popover-title')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.popover-title')[this.options.html ? 'html' : 'text'](title)
$tip.find('.popover-content > *')[this.isHTML(content) ? 'html' : 'text'](content) $tip.find('.popover-content > *')[this.options.html ? 'html' : 'text'](content)
$tip.removeClass('fade top bottom left right in') $tip.removeClass('fade top bottom left right in')
} }
......
docs/assets/js/bootstrap-tooltip.js
View file @ f8364731
...@@ -148,20 +148,11 @@ ...@@ -148,20 +148,11 @@
} }
} }
, isHTML: function(text) {
// html string detection logic adapted from jQuery
return typeof text != 'string'
|| ( text.charAt(0) === "<"
&& text.charAt( text.length - 1 ) === ">"
&& text.length >= 3
) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text)
}
, setContent: function () { , setContent: function () {
var $tip = this.tip() var $tip = this.tip()
, title = this.getTitle() , title = this.getTitle()
$tip.find('.tooltip-inner')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
$tip.removeClass('fade in top bottom left right') $tip.removeClass('fade in top bottom left right')
} }
...@@ -270,6 +261,7 @@ ...@@ -270,6 +261,7 @@
, trigger: 'hover' , trigger: 'hover'
, title: '' , title: ''
, delay: 0 , delay: 0
, html: true
} }
}(window.jQuery); }(window.jQuery);
docs/assets/js/bootstrap.js
View file @ f8364731
...@@ -1092,20 +1092,11 @@ ...@@ -1092,20 +1092,11 @@
} }
} }
, isHTML: function(text) {
// html string detection logic adapted from jQuery
return typeof text != 'string'
|| ( text.charAt(0) === "<"
&& text.charAt( text.length - 1 ) === ">"
&& text.length >= 3
) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text)
}
, setContent: function () { , setContent: function () {
var $tip = this.tip() var $tip = this.tip()
, title = this.getTitle() , title = this.getTitle()
$tip.find('.tooltip-inner')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
$tip.removeClass('fade in top bottom left right') $tip.removeClass('fade in top bottom left right')
} }
...@@ -1214,6 +1205,7 @@ ...@@ -1214,6 +1205,7 @@
, trigger: 'hover' , trigger: 'hover'
, title: '' , title: ''
, delay: 0 , delay: 0
, html: true
} }
}(window.jQuery); }(window.jQuery);
...@@ -1262,8 +1254,8 @@ ...@@ -1262,8 +1254,8 @@
, title = this.getTitle() , title = this.getTitle()
, content = this.getContent() , content = this.getContent()
$tip.find('.popover-title')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.popover-title')[this.options.html ? 'html' : 'text'](title)
$tip.find('.popover-content > *')[this.isHTML(content) ? 'html' : 'text'](content) $tip.find('.popover-content > *')[this.options.html ? 'html' : 'text'](content)
$tip.removeClass('fade top bottom left right in') $tip.removeClass('fade top bottom left right in')
} }
......
docs/assets/js/bootstrap.min.js
View file @ f8364731
This diff is collapsed.
docs/javascript.html
View file @ f8364731
...@@ -771,6 +771,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) { ...@@ -771,6 +771,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>apply a css fade transition to the tooltip</td> <td>apply a css fade transition to the tooltip</td>
</tr> </tr>
<tr>
<td>html</td>
<td>boolean</td>
<td>true</td>
<td>Insert html into the tooltip. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.</td>
</tr>
<tr> <tr>
<td>placement</td> <td>placement</td>
<td>string|function</td> <td>string|function</td>
...@@ -874,6 +880,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) { ...@@ -874,6 +880,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>apply a css fade transition to the tooltip</td> <td>apply a css fade transition to the tooltip</td>
</tr> </tr>
<tr>
<td>html</td>
<td>boolean</td>
<td>true</td>
<td>Insert html into the tooltip. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.</td>
</tr>
<tr> <tr>
<td>placement</td> <td>placement</td>
<td>string|function</td> <td>string|function</td>
......
docs/templates/pages/javascript.mustache
View file @ f8364731
...@@ -693,6 +693,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) { ...@@ -693,6 +693,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td> <td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td>
</tr> </tr>
<tr>
<td>{{_i}}html{{/i}}</td>
<td>{{_i}}boolean{{/i}}</td>
<td>true</td>
<td>{{_i}}Insert html into the tooltip. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.{{/i}}</td>
</tr>
<tr> <tr>
<td>{{_i}}placement{{/i}}</td> <td>{{_i}}placement{{/i}}</td>
<td>{{_i}}string|function{{/i}}</td> <td>{{_i}}string|function{{/i}}</td>
...@@ -796,6 +802,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) { ...@@ -796,6 +802,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td> <td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td>
</tr> </tr>
<tr>
<td>{{_i}}html{{/i}}</td>
<td>{{_i}}boolean{{/i}}</td>
<td>true</td>
<td>{{_i}}Insert html into the popover. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.{{/i}}</td>
</tr>
<tr> <tr>
<td>{{_i}}placement{{/i}}</td> <td>{{_i}}placement{{/i}}</td>
<td>{{_i}}string|function{{/i}}</td> <td>{{_i}}string|function{{/i}}</td>
......
js/bootstrap-popover.js
View file @ f8364731
...@@ -43,8 +43,8 @@ ...@@ -43,8 +43,8 @@
, title = this.getTitle() , title = this.getTitle()
, content = this.getContent() , content = this.getContent()
$tip.find('.popover-title')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.popover-title')[this.options.html ? 'html' : 'text'](title)
$tip.find('.popover-content > *')[this.isHTML(content) ? 'html' : 'text'](content) $tip.find('.popover-content > *')[this.options.html ? 'html' : 'text'](content)
$tip.removeClass('fade top bottom left right in') $tip.removeClass('fade top bottom left right in')
} }
......
js/bootstrap-tooltip.js
View file @ f8364731
...@@ -148,20 +148,11 @@ ...@@ -148,20 +148,11 @@
} }
} }
, isHTML: function(text) {
// html string detection logic adapted from jQuery
return typeof text != 'string'
|| ( text.charAt(0) === "<"
&& text.charAt( text.length - 1 ) === ">"
&& text.length >= 3
) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text)
}
, setContent: function () { , setContent: function () {
var $tip = this.tip() var $tip = this.tip()
, title = this.getTitle() , title = this.getTitle()
$tip.find('.tooltip-inner')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
$tip.removeClass('fade in top bottom left right') $tip.removeClass('fade in top bottom left right')
} }
...@@ -270,6 +261,7 @@ ...@@ -270,6 +261,7 @@
, trigger: 'hover' , trigger: 'hover'
, title: '' , title: ''
, delay: 0 , delay: 0
, html: true
} }
}(window.jQuery); }(window.jQuery);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment