fix(tooltip): prevent xss in tooltip content (#10190)

Author: jelbourn

src/components/tooltip/tooltip.js

@@ -361,7 +361,6 @@ function MdTooltipDirective($timeout, $window, $$rAF, $document, $interpolate,
       if (!panelRef) {
         var id = 'tooltip-' + $mdUtil.nextUid();
         var attachTo = angular.element(document.body);
-        var content = element.html().trim();
         var panelAnimation = $mdPanel.newPanelAnimation()
             .openFrom(parent)
             .closeTo(parent)
@@ -373,7 +372,7 @@ function MdTooltipDirective($timeout, $window, $$rAF, $document, $interpolate,
         var panelConfig = {
           id: id,
           attachTo: attachTo,
-          template: content,
+          contentElement: element,
           propagateContainerEvents: true,
           panelClass: 'md-tooltip ' + origin,
           animation: panelAnimation,

src/components/tooltip/tooltip.spec.js

@@ -49,6 +49,18 @@ describe('MdTooltip Component', function() {
     expect(findTooltip()).toHaveClass('md-origin-bottom');
   });
 
+  it('should not re-templatize tooltip content', function() {
+    $rootScope.name = '{{2 + 2}}';
+
+    buildTooltip(
+      '<md-button>' +
+        '<md-tooltip md-visible="true">{{name}}</md-tooltip>' +
+      '</md-button>'
+    );
+
+    expect(findTooltip().text()).toBe('{{2 + 2}}');
+  });
+
   it('should preserve parent text', function() {
     buildTooltip(
       '<md-button>' +

src/core/services/compiler/compiler.js

@@ -296,7 +296,9 @@ MdCompilerService.prototype._fetchContentElement = function(options) {
       restoreFn = createRestoreFn(contentEl);
     } else {
       restoreFn = function() {
-        contentEl.parentNode.removeChild(contentEl);
+        if (contentEl.parentNode) {
+          contentEl.parentNode.removeChild(contentEl);
+        }
       }
     }
   }