Cannot easily use v-tooltip with user-generated content (XSS / HTML injection)

[x1B]

First, thanks for creating this very useful project.

I noticed that it is currently not easily possible to safely put user-generated content into v-tooltip, because the popper option html is always true and I cannot seem to override it. E.g. if you have code such as v-tooltip="user.name", users would be able to enter a name such as <b>Example</b> or worse, leading to XSS vulnerabilities.

I tried the following approaches, but none of them helped:

• install VTooltip with { defaultPopperOptions: { html: false } } using Vue.use
• pass v-tooltip="{ popperOptions: { html: false }, content: user.name }"
• pass v-tooltip="{ html: false, content: user.name }"

I would expect at least the first two options to work.

Right now, the only way seems to be

• either to manually sanitize the input text using e.g. the DOM API,
• or to use v-popover instead, which is much more complicated compared to v-tooltip.

Personally, I think that the most straightforward way to use v-tooltip (just using the directive attribute) should also be "safe by default". Or is there maybe another simple way to achieve what I am looking for?

[x1B]

@Akryum thanks, I'll make sure to try it out!