From 377b5329c40c54d169568a717735bdfcbae7975a Mon Sep 17 00:00:00 2001 From: Jeremy Elbourn Date: Wed, 28 Dec 2016 12:19:29 -0800 Subject: [PATCH] fix(tooltip): prevent xss in tooltip content --- src/components/tooltip/tooltip.js | 3 +-- src/components/tooltip/tooltip.spec.js | 12 ++++++++++++ src/core/services/compiler/compiler.js | 4 +++- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/components/tooltip/tooltip.js b/src/components/tooltip/tooltip.js index 690680f06f0..7436e50045e 100644 --- a/src/components/tooltip/tooltip.js +++ b/src/components/tooltip/tooltip.js @@ -361,7 +361,6 @@ function MdTooltipDirective($timeout, $window, $$rAF, $document, $interpolate, if (!panelRef) { var id = 'tooltip-' + $mdUtil.nextUid(); var attachTo = angular.element(document.body); - var content = element.html().trim(); var panelAnimation = $mdPanel.newPanelAnimation() .openFrom(parent) .closeTo(parent) @@ -373,7 +372,7 @@ function MdTooltipDirective($timeout, $window, $$rAF, $document, $interpolate, var panelConfig = { id: id, attachTo: attachTo, - template: content, + contentElement: element, propagateContainerEvents: true, panelClass: 'md-tooltip ' + origin, animation: panelAnimation, diff --git a/src/components/tooltip/tooltip.spec.js b/src/components/tooltip/tooltip.spec.js index ee4b3b635bc..5f8a5a59c69 100644 --- a/src/components/tooltip/tooltip.spec.js +++ b/src/components/tooltip/tooltip.spec.js @@ -49,6 +49,18 @@ describe('MdTooltip Component', function() { expect(findTooltip()).toHaveClass('md-origin-bottom'); }); + it('should not re-templatize tooltip content', function() { + $rootScope.name = '{{2 + 2}}'; + + buildTooltip( + '' + + '{{name}}' + + '' + ); + + expect(findTooltip().text()).toBe('{{2 + 2}}'); + }); + it('should preserve parent text', function() { buildTooltip( '' + diff --git a/src/core/services/compiler/compiler.js b/src/core/services/compiler/compiler.js index 5dfe2122bed..d72da3d2fb3 100644 --- a/src/core/services/compiler/compiler.js +++ b/src/core/services/compiler/compiler.js @@ -296,7 +296,9 @@ MdCompilerService.prototype._fetchContentElement = function(options) { restoreFn = createRestoreFn(contentEl); } else { restoreFn = function() { - contentEl.parentNode.removeChild(contentEl); + if (contentEl.parentNode) { + contentEl.parentNode.removeChild(contentEl); + } } } }