fix(components): [el-table] escape special html characters (#6520)

* fix(components): [el-table] escape special html characters * fix: use 3rd package
element-plus · Mar 11, 2022 · 063c564 · 063c564
1 parent 0457032
commit 063c564
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -69,6 +69,7 @@
     "@vueuse/core": "^7.7.1",
     "async-validator": "^4.0.7",
     "dayjs": "^1.10.8",
+    "escape-html": "^1.0.3",
     "lodash": "^4.17.21",
     "lodash-es": "^4.17.21",
     "lodash-unified": "^1.0.2",

diff --git a/packages/components/table/src/util.ts b/packages/components/table/src/util.ts
@@ -1,5 +1,6 @@
 import { createPopper } from '@popperjs/core'
 import { get } from 'lodash-unified'
+import escapeHtml from 'escape-html'
 import { hasOwn, off, on } from '@element-plus/utils'
 import { useZIndex } from '@element-plus/hooks'
 import type {
@@ -326,6 +327,7 @@ export function createTablePopper(
     const isLight = tooltipEffect === 'light'
     const content = document.createElement('div')
     content.className = `el-popper ${isLight ? 'is-light' : 'is-dark'}`
+    popperContent = escapeHtml(popperContent)
     content.innerHTML = popperContent
     content.style.zIndex = String(nextZIndex())
     document.body.appendChild(content)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml