From cb4f2f72d67a83217a4c67fc3e280b3e5add2a96 Mon Sep 17 00:00:00 2001 From: Netanel Basal Date: Thu, 15 Jul 2021 12:56:34 +0300 Subject: [PATCH] =?UTF-8?q?feat:=20=F0=9F=8E=B8=20don't=20use=20innerhtml?= =?UTF-8?q?=20when=20passing=20a=20string?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BREAKING CHANGE: When providing a string as content, we use innertext instead to prevent xss --- .gitignore | 1 + projects/ngneat/helipopper/package.json | 3 +++ .../ngneat/helipopper/src/lib/tippy.directive.ts | 4 ++++ src/app/app.component.html | 13 +++++++++++++ 4 files changed, 21 insertions(+) diff --git a/.gitignore b/.gitignore index 86d943a..3c86666 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ testem.log # System Files .DS_Store Thumbs.db +cypress/screenshots diff --git a/projects/ngneat/helipopper/package.json b/projects/ngneat/helipopper/package.json index 938cc71..1b11c5f 100644 --- a/projects/ngneat/helipopper/package.json +++ b/projects/ngneat/helipopper/package.json @@ -7,6 +7,9 @@ "tippy.js": "^6.2.3", "tslib": "^2.0.0" }, + "peerDependencies": { + "@ngneat/overview": "*" + }, "keywords": [ "angular", "angular tooltip", diff --git a/projects/ngneat/helipopper/src/lib/tippy.directive.ts b/projects/ngneat/helipopper/src/lib/tippy.directive.ts index a1776fd..65b9435 100644 --- a/projects/ngneat/helipopper/src/lib/tippy.directive.ts +++ b/projects/ngneat/helipopper/src/lib/tippy.directive.ts @@ -211,6 +211,10 @@ export class TippyDirective implements OnChanges, AfterViewInit, OnDestroy, OnIn }, onShow: instance => { this.zone.run(() => { + const content = this.resolveContent(); + if (isString(content)) { + instance.setProps({ allowHTML: false }); + } instance.setContent(this.resolveContent()); this.hideOnEscape && this.handleEscapeButton(); }); diff --git a/src/app/app.component.html b/src/app/app.component.html index 7da3860..6426485 100644 --- a/src/app/app.component.html +++ b/src/app/app.component.html @@ -273,3 +273,16 @@
Menu
+ +
+
Sanitize
+ + +
+ +