Merge pull request #5584 from open-webui/dev

fix: node tooltip xss issue

src/lib/components/chat/Overview/Node.svelte

@@ -15,6 +15,7 @@
 	<Tooltip
 		content={data?.message?.error ? data.message.error.content : data.message.content}
 		class="w-full"
+		allowHTML={false}
 	>
 		{#if data.message.role === 'user'}
 			<div class="flex w-full">

src/lib/components/common/Tooltip.svelte

@@ -1,4 +1,6 @@
 <script lang="ts">
+	import DOMPurify from 'dompurify';
+
 	import { onDestroy } from 'svelte';
 	import { marked } from 'marked';
 
@@ -10,18 +12,19 @@
 	export let touch = true;
 	export let className = 'flex';
 	export let theme = '';
+	export let allowHTML = true;
 
 	let tooltipElement;
 	let tooltipInstance;
 
 	$: if (tooltipElement && content) {
 		if (tooltipInstance) {
-			tooltipInstance.setContent(content);
+			tooltipInstance.setContent(DOMPurify.sanitize(content));
 		} else {
 			tooltipInstance = tippy(tooltipElement, {
-				content: content,
+				content: DOMPurify.sanitize(content),
 				placement: placement,
-				allowHTML: true,
+				allowHTML: allowHTML,
 				touch: touch,
 				...(theme !== '' ? { theme } : { theme: 'dark' }),
 				arrow: false,
@@ -41,6 +44,6 @@
 	});
 </script>
 
-<div bind:this={tooltipElement} aria-label={content} class={className}>
+<div bind:this={tooltipElement} aria-label={DOMPurify.sanitize(content)} class={className}>
 	<slot />
 </div>