mirror_css/bootstrap
1
0
Fork 0
mirror of https://github.com/twbs/bootstrap.git synced 2025-08-20 12:21:35 +02:00
Code Issues Releases Wiki Activity

add html option back to tooltip and popover to explicitly prevent XSS #3421

Browse Source
This commit is contained in:
Jacob Thornton
2012-06-02 17:55:10 -07:00
parent fc96bc8bba
commit f836473129
8 changed files with 37 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/assets/js/bootstrap-popover.js vendored
View File

@@ -43,8 +43,8 @@
, title = this.getTitle() , title = this.getTitle()
, content = this.getContent() , content = this.getContent()
$tip.find('.popover-title')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.popover-title')[this.options.html ? 'html' : 'text'](title)
$tip.find('.popover-content > *')[this.isHTML(content) ? 'html' : 'text'](content) $tip.find('.popover-content > *')[this.options.html ? 'html' : 'text'](content)
$tip.removeClass('fade top bottom left right in') $tip.removeClass('fade top bottom left right in')
} }

12
docs/assets/js/bootstrap-tooltip.js vendored
View File

@@ -148,20 +148,11 @@
} }
} }
, isHTML: function(text) {
// html string detection logic adapted from jQuery
return typeof text != 'string'
|| ( text.charAt(0) === "<"
&& text.charAt( text.length - 1 ) === ">"
&& text.length >= 3
) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text)
}
, setContent: function () { , setContent: function () {
var $tip = this.tip() var $tip = this.tip()
, title = this.getTitle() , title = this.getTitle()
$tip.find('.tooltip-inner')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
$tip.removeClass('fade in top bottom left right') $tip.removeClass('fade in top bottom left right')
} }
@@ -270,6 +261,7 @@
, trigger: 'hover' , trigger: 'hover'
, title: '' , title: ''
, delay: 0 , delay: 0
, html: true
} }
}(window.jQuery); }(window.jQuery);

16
docs/assets/js/bootstrap.js vendored
View File

@@ -1092,20 +1092,11 @@
} }
} }
, isHTML: function(text) {
// html string detection logic adapted from jQuery
return typeof text != 'string'
|| ( text.charAt(0) === "<"
&& text.charAt( text.length - 1 ) === ">"
&& text.length >= 3
) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text)
}
, setContent: function () { , setContent: function () {
var $tip = this.tip() var $tip = this.tip()
, title = this.getTitle() , title = this.getTitle()
$tip.find('.tooltip-inner')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
$tip.removeClass('fade in top bottom left right') $tip.removeClass('fade in top bottom left right')
} }
@@ -1214,6 +1205,7 @@
, trigger: 'hover' , trigger: 'hover'
, title: '' , title: ''
, delay: 0 , delay: 0
, html: true
} }
}(window.jQuery); }(window.jQuery);
@@ -1262,8 +1254,8 @@
, title = this.getTitle() , title = this.getTitle()
, content = this.getContent() , content = this.getContent()
$tip.find('.popover-title')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.popover-title')[this.options.html ? 'html' : 'text'](title)
$tip.find('.popover-content > *')[this.isHTML(content) ? 'html' : 'text'](content) $tip.find('.popover-content > *')[this.options.html ? 'html' : 'text'](content)
$tip.removeClass('fade top bottom left right in') $tip.removeClass('fade top bottom left right in')
} }

2
docs/assets/js/bootstrap.min.js vendored
View File

File diff suppressed because one or more lines are too long

12
docs/javascript.html
View File

@@ -771,6 +771,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>apply a css fade transition to the tooltip</td> <td>apply a css fade transition to the tooltip</td>
</tr> </tr>
<tr>
<td>html</td>
<td>boolean</td>
<td>true</td>
<td>Insert html into the tooltip. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.</td>
</tr>
<tr> <tr>
<td>placement</td> <td>placement</td>
<td>string|function</td> <td>string|function</td>
@@ -874,6 +880,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>apply a css fade transition to the tooltip</td> <td>apply a css fade transition to the tooltip</td>
</tr> </tr>
<tr>
<td>html</td>
<td>boolean</td>
<td>true</td>
<td>Insert html into the tooltip. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.</td>
</tr>
<tr> <tr>
<td>placement</td> <td>placement</td>
<td>string|function</td> <td>string|function</td>

12
docs/templates/pages/javascript.mustache vendored
View File

@@ -693,6 +693,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td> <td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td>
</tr> </tr>
<tr>
<td>{{_i}}html{{/i}}</td>
<td>{{_i}}boolean{{/i}}</td>
<td>true</td>
<td>{{_i}}Insert html into the tooltip. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.{{/i}}</td>
</tr>
<tr> <tr>
<td>{{_i}}placement{{/i}}</td> <td>{{_i}}placement{{/i}}</td>
<td>{{_i}}string|function{{/i}}</td> <td>{{_i}}string|function{{/i}}</td>
@@ -796,6 +802,12 @@ $('a[data-toggle="tab"]').on('shown', function (e) {
<td>true</td> <td>true</td>
<td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td> <td>{{_i}}apply a css fade transition to the tooltip{{/i}}</td>
</tr> </tr>
<tr>
<td>{{_i}}html{{/i}}</td>
<td>{{_i}}boolean{{/i}}</td>
<td>true</td>
<td>{{_i}}Insert html into the popover. If false, jquery's <code>text</code> method will be used to insert content into the dom. Use text if you're worried about XSS attacks.{{/i}}</td>
</tr>
<tr> <tr>
<td>{{_i}}placement{{/i}}</td> <td>{{_i}}placement{{/i}}</td>
<td>{{_i}}string|function{{/i}}</td> <td>{{_i}}string|function{{/i}}</td>

4
js/bootstrap-popover.js vendored
View File

@@ -43,8 +43,8 @@
, title = this.getTitle() , title = this.getTitle()
, content = this.getContent() , content = this.getContent()
$tip.find('.popover-title')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.popover-title')[this.options.html ? 'html' : 'text'](title)
$tip.find('.popover-content > *')[this.isHTML(content) ? 'html' : 'text'](content) $tip.find('.popover-content > *')[this.options.html ? 'html' : 'text'](content)
$tip.removeClass('fade top bottom left right in') $tip.removeClass('fade top bottom left right in')
} }

12
js/bootstrap-tooltip.js vendored
View File

@@ -148,20 +148,11 @@
} }
} }
, isHTML: function(text) {
// html string detection logic adapted from jQuery
return typeof text != 'string'
|| ( text.charAt(0) === "<"
&& text.charAt( text.length - 1 ) === ">"
&& text.length >= 3
) || /^(?:[^<]*<[\w\W]+>[^>]*$)/.exec(text)
}
, setContent: function () { , setContent: function () {
var $tip = this.tip() var $tip = this.tip()
, title = this.getTitle() , title = this.getTitle()
$tip.find('.tooltip-inner')[this.isHTML(title) ? 'html' : 'text'](title) $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
$tip.removeClass('fade in top bottom left right') $tip.removeClass('fade in top bottom left right')
} }
@@ -270,6 +261,7 @@
, trigger: 'hover' , trigger: 'hover'
, title: '' , title: ''
, delay: 0 , delay: 0
, html: true
} }
}(window.jQuery); }(window.jQuery);