From 3ffac74e32b801ff7e61985bc30eb9af58c2a3d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simen=20Heggest=C3=B8yl?=
 <simen.heggestoyl@origo.oslo.kommune.no>
Date: Mon, 9 Oct 2023 15:38:21 +0200
Subject: [PATCH] Don't render HTML in tooltips

This fixes an XSS issue because the v-tooltip library is rendering
HTML by default.
---
 CHANGELOG.md | 4 ++++
 src/main.js  | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ba53e776b..21c708770 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,6 +41,10 @@ All notable changes to this project will be documented in this file. The format
 - The admin panel tab has been completely removed from the item tab bar (all
   functionality moved to drawers).
 
+### Security
+
+- Fixed an XSS issue with the rendering of tooltips.
+
 ## [3.9.0] 2023-09-01
 
 ### Added
diff --git a/src/main.js b/src/main.js
index e3f80ba93..62974f933 100644
--- a/src/main.js
+++ b/src/main.js
@@ -31,7 +31,9 @@ Vue.use(Toasted, {
   className: 'toast',
   duration: 3500,
 });
-Vue.use(VTooltip);
+Vue.use(VTooltip, {
+  defaultHtml: false,
+});
 Vue.use(VueMeta);
 Vue.use(firestorePlugin);
 Vue.use(VueFlatPickr);