[PR #5984] [MERGED] fix(common): prevent stored XSS in team member overflow tooltip #5446

New issue

Closed

opened 2026-03-17 02:53:24 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:53:24 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5984
Author: @jamesgeorge007
Created: 3/13/2026
Status: ✅ Merged
Merged: 3/14/2026
Merged by: @jamesgeorge007

Base: next ← Head: fix/html-injection-memberstack

📝 Commits (1)

94573eb fix(common): prevent stored XSS in team member overflow tooltip

📊 Changes

2 files changed (+12 additions, -3 deletions)

View changed files

📝 packages/hoppscotch-common/assets/themes/tippy-themes.scss (+9 -0)
📝 packages/hoppscotch-common/src/components/teams/MemberStack.vue (+3 -3)

📄 Description

Addresses GHSA-vw93-4m6p-ccm9.
Closes FE-1165.

The team member overflow tooltip rendered user-controlled content as HTML, which allowed stored XSS in workspaces with 4+ members.

What's changed

Removed allowHTML: true from the v-tippy directive so content renders as plain text.
Replaced   join separators with \n for newline-separated tooltip entries.
Added member-list tippy theme variant with white-space: pre-line to preserve multiline rendering without HTML.

Notes to reviewers

No intended visual change for typical member lists: the overflow tooltip continues to render as before, but display names are now treated as plain text.

Manual verification: use a team workspace with 4+ members where one member’s display name contains HTML markup. The overflow tooltip should render that markup as literal text rather than interpreting it as HTML.

Summary by cubic

Fixes a stored XSS in the team member overflow tooltip by rendering member names as plain text and preserving multiline safely. Addresses FE-1165 and GHSA-vw93-4m6p-ccm9.

Bug Fixes
- Removed allowHTML from v-tippy; tooltip content is now plain text.
- Switched   joins to "\n" and added a member-list tippy theme with white-space: pre-line to keep line breaks without HTML.
- No visual changes expected; any markup in display names now appears as literal text.

^{Written for commit 94573eb843. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5984 **Author:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Created:** 3/13/2026 **Status:** ✅ Merged **Merged:** 3/14/2026 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `fix/html-injection-memberstack` --- ### 📝 Commits (1) - [`94573eb`](https://github.com/hoppscotch/hoppscotch/commit/94573eb84307742075b9c60c3c41966df4e82e8f) fix(common): prevent stored XSS in team member overflow tooltip ### 📊 Changes **2 files changed** (+12 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `packages/hoppscotch-common/assets/themes/tippy-themes.scss` (+9 -0) 📝 `packages/hoppscotch-common/src/components/teams/MemberStack.vue` (+3 -3) </details> ### 📄 Description Addresses [GHSA-vw93-4m6p-ccm9](https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-vw93-4m6p-ccm9). Closes FE-1165. The team member overflow tooltip rendered user-controlled content as HTML, which allowed stored XSS in workspaces with 4+ members. ### What's changed - Removed `allowHTML: true` from the `v-tippy` directive so content renders as plain text. - Replaced ` ` join separators with `\n` for newline-separated tooltip entries. - Added `member-list` tippy theme variant with `white-space: pre-line` to preserve multiline rendering without HTML. ### Notes to reviewers No intended visual change for typical member lists: the overflow tooltip continues to render as before, but display names are now treated as plain text. Manual verification: use a team workspace with 4+ members where one member’s display name contains HTML markup. The overflow tooltip should render that markup as literal text rather than interpreting it as HTML.  --- ## Summary by cubic Fixes a stored XSS in the team member overflow tooltip by rendering member names as plain text and preserving multiline safely. Addresses FE-1165 and GHSA-vw93-4m6p-ccm9. - **Bug Fixes** - Removed `allowHTML` from `v-tippy`; tooltip content is now plain text. - Switched ` ` joins to "\n" and added a `member-list` tippy theme with `white-space: pre-line` to keep line breaks without HTML. - No visual changes expected; any markup in display names now appears as literal text. Written for commit 94573eb84307742075b9c60c3c41966df4e82e8f. Summary will update on new commits.  --- 🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.