commit 97db80ac62988ea5cd7db68962d24312eeab57b6
author 100pah <sushuang0322@gmail.com> Thu Jan 21 15:07:00 2021 +0800
committer 100pah <sushuang0322@gmail.com> Thu Jan 21 15:07:00 2021 +0800
tree 5531d204104718b791cbc489adc84fca51a011b7
parent 758aa43c8813b416d644f13a47660b7c4589c935

fix: add encode html to avoid xss risk.

src/component/tooltip/tooltipMarkup.ts

diff --git a/src/component/tooltip/tooltipMarkup.ts b/src/component/tooltip/tooltipMarkup.ts
index b59be65..2e88c1d 100644
--- a/src/component/tooltip/tooltipMarkup.ts
+++ b/src/component/tooltip/tooltipMarkup.ts
@@ -58,9 +58,12 @@
     const valueFontWeight = textStyle.fontWeight || '900';
 
     if (renderMode === 'html') {
+        // `textStyle` is probably from user input, should be encoded to reduce security risk.
         return {
-            nameStyle: `font-size:${nameFontSize}px;color:${nameFontColor};font-weight:${nameFontWeight}`,
-            valueStyle: `font-size:${valueFontSize}px;color:${valueFontColor};font-weight:${valueFontWeight}`
+            // eslint-disable-next-line max-len
+            nameStyle: `font-size:${encodeHTML(nameFontSize + '')}px;color:${encodeHTML(nameFontColor)};font-weight:${encodeHTML(nameFontWeight + '')}`,
+            // eslint-disable-next-line max-len
+            valueStyle: `font-size:${encodeHTML(valueFontSize + '')}px;color:${encodeHTML(valueFontColor)};font-weight:${encodeHTML(valueFontWeight + '')}`
         };
     }
     else {