fix: add encode html to avoid xss risk.
diff --git a/src/component/tooltip/tooltipMarkup.ts b/src/component/tooltip/tooltipMarkup.ts
index b59be65..2e88c1d 100644
--- a/src/component/tooltip/tooltipMarkup.ts
+++ b/src/component/tooltip/tooltipMarkup.ts
@@ -58,9 +58,12 @@
const valueFontWeight = textStyle.fontWeight || '900';
if (renderMode === 'html') {
+ // `textStyle` is probably from user input, should be encoded to reduce security risk.
return {
- nameStyle: `font-size:${nameFontSize}px;color:${nameFontColor};font-weight:${nameFontWeight}`,
- valueStyle: `font-size:${valueFontSize}px;color:${valueFontColor};font-weight:${valueFontWeight}`
+ // eslint-disable-next-line max-len
+ nameStyle: `font-size:${encodeHTML(nameFontSize + '')}px;color:${encodeHTML(nameFontColor)};font-weight:${encodeHTML(nameFontWeight + '')}`,
+ // eslint-disable-next-line max-len
+ valueStyle: `font-size:${encodeHTML(valueFontSize + '')}px;color:${encodeHTML(valueFontColor)};font-weight:${encodeHTML(valueFontWeight + '')}`
};
}
else {