The contents of the tooltip are inserted directly into the page without proper escaping. This means that including quotation marks breaks the loading and rendering of the map. Additionally, inserting a newline also breaks rendering.
It also means that by setting the value of the tooltip as follows, arbitrary javascript can be inserted into the page:
goiblas
commented
5 years ago
The contents of the tooltip are inserted directly into the page without proper escaping. This means that including quotation marks breaks the loading and rendering of the map. Additionally, inserting a newline also breaks rendering.
It also means that by setting the value of the tooltip as follows, arbitrary javascript can be inserted into the page:
(You should see an alert, and an entry in the console.)