FEATURE: allows html tooltips (#6665)

test/javascripts/lib/tooltip-test.js.es6

@@ -4,22 +4,56 @@ import { registerTooltip } from "discourse/lib/tooltip";
 QUnit.module("lib:tooltip", {
   beforeEach() {
     fixture().html(
-      "<a class='test-link' data-tooltip='XSS<s onmouseover\=alert(document.domain)>XSS'>test</a>"
+      `
+        <a class='test-text-link' data-tooltip='XSS<s onmouseover\=alert(document.domain)>XSS'>test</a>
+        <a class='test-html-link' data-html-tooltip='<p>test</p>'>test</a>
+      `
     );
   }
 });
 
-QUnit.test("it prevents XSS injection", assert => {
-  const $testLink = fixture(".test-link");
-  registerTooltip($testLink);
-  $testLink.click();
+QUnit.test("text support", async assert => {
+  const $testTextLink = fixture(".test-text-link");
+  registerTooltip($testTextLink);
 
-  andThen(() => {
-    assert.equal(
-      fixture(".tooltip-content")
-        .html()
-        .trim(),
-      "XSS&lt;s onmouseover=alert(document.domain)&gt;XSS"
-    );
-  });
+  await $testTextLink.click();
+
+  assert.equal(
+    fixture(".tooltip-content")
+      .html()
+      .trim(),
+    "XSS&lt;s onmouseover=alert(document.domain)&gt;XSS",
+    "it prevents XSS injection"
+  );
+
+  assert.equal(
+    fixture(".tooltip-content")
+      .text()
+      .trim(),
+    "XSS<s onmouseover=alert(document.domain)>XSS",
+    "it returns content as plain text"
+  );
+});
+
+QUnit.test("html support", async assert => {
+  const $testHtmlLink = fixture(".test-html-link");
+  registerTooltip($testHtmlLink);
+
+  await $testHtmlLink.click();
+
+  assert.equal(
+    fixture(".tooltip-content")
+      .html()
+      .trim(),
+    "<p>test</p>",
+    "it doesn’t escape HTML"
+  );
+
+  assert.equal(
+    fixture(".tooltip-content")
+      .text()
+      .trim(),
+    "test",
+    "it returns content as plain text"
+  );
 });