Skip to content

Don't allow sanitize in BS popover #728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Don't allow sanitize in BS popover #728

wants to merge 1 commit into from

Conversation

@duzun
Copy link

@duzun duzun commented Jul 2, 2019

In BS v3.4.1 tooltips and popovers sanitize HTML by default, thus removing navigation buttons from the tour.

@duzun
Don't allow sanitize in BS popover
5e67c7c 
In [BS v3.4.1](https://github.com/twbs/bootstrap/blob/v3.4.1/js/popover.js#L51) tooltips and popovers sanitize HTML by default, thus removing navigation buttons from the tour.
@IGreatlyDislikeJavascript
Copy link

IGreatlyDislikeJavascript commented Jul 8, 2019
edited
Loading

Sorry, I feel like I'm repeatedly posting the same thing on this issue. Turning off the sanitizer as per your patch will fix the issue, but will introduce a potential security vulnerability due to XSS etc depending on how your code works.

I strongly suggest that you change your patch to specifically whitelist the button elements, or use my fork which exposes options to do this for you.

See #729

@duzun
Copy link
Author

duzun commented Jul 8, 2019

My bad, I did not investigate the code thoroughly enough.
I thought the source of HTML is internal only, but now I see user can pass contents and the template of the popover through options.
In my project, I've just disabled BS sanitization globally, because of this issue.
I know what I'm doing and can afford this (a browser extension with strict CSP and the only source of HTML being my compiled JS).

But I can imagine other projects, where this issue arises and someone disables BS sanitization globally as a quick fix, with far more bad consequences than good ones.

IMHO it should work out of the box, at least with BS 3.4. And only sanitize user-supplied contents of templates, if not explicitly requested otherwise.

@uxdevopstevan
Copy link

uxdevopstevan commented Aug 20, 2019

I would recommend using @IGreatlyDislikeJavascript fork It is working much better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@shaischaudhry shaischaudhry shaischaudhry approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@duzun @IGreatlyDislikeJavascript @uxdevopstevan @shaischaudhry