change tooltip/popover html default to false for xss safety net

2022-11-09 12:25:43 -05:00 · 2012-09-24 23:15:36 -07:00 · 2012-09-24 23:15:36 -07:00 · 003fcccceb
commit 003fcccceb
parent ebf94c53a5
5 changed files with 6 additions and 5 deletions
--- a/docs/assets/js/bootstrap-tooltip.js
+++ b/docs/assets/js/bootstrap-tooltip.js
@ -269,7 +269,7 @@
  , trigger: 'hover'
  , title: ''
  , delay: 0
-  , html: true
+  , html: false
  }

 }(window.jQuery);
--- a/docs/assets/js/bootstrap.js
+++ b/docs/assets/js/bootstrap.js
@ -1231,7 +1231,7 @@
  , trigger: 'hover'
  , title: ''
  , delay: 0
-  , html: true
+  , html: false
  }

 }(window.jQuery);
--- a/docs/assets/js/bootstrap.min.js
+++ b/docs/assets/js/bootstrap.min.js
--- a/js/bootstrap-tooltip.js
+++ b/js/bootstrap-tooltip.js
@ -269,7 +269,7 @@
  , trigger: 'hover'
  , title: ''
  , delay: 0
-  , html: true
+  , html: false
  }

 }(window.jQuery);
--- a/js/tests/unit/bootstrap-tooltip.js
+++ b/js/tests/unit/bootstrap-tooltip.js
@ -37,10 +37,11 @@ $(function () {
        tooltip.tooltip('hide')
      })

-      test("should always allow html entities", function () {
+      test("should allow html entities", function () {
        $.support.transition = false
        var tooltip = $('<a href="#" rel="tooltip" title="<b>@fat</b>"></a>')
          .appendTo('#qunit-fixture')
+          .tooltip({html: true})
          .tooltip('show')

        ok($('.tooltip b').length, 'b tag was inserted')