Created by: pcorsaro
There is an html option for popover/tooltip again. The option is defaulted to true.
Having this option allows us to force the popover to use the .text()
method to set the title and content of the popover no matter if bootstrap thinks it detects html or not. The problem is that jQuery seems to unescape values grabbed with the .attr()
method, so even if you escape <script>alert('data');</script>
to <script>alert("data")</script>
and set it as your data-content, bootstrap will get the unescaped value from .attr()
, detect that this is html and use the .html()
method to set the content of the popover causing an XSS issue. Forcing the use of the .text()
method by setting the html option to false lets us make sure that doesn't happen.