From e418a51432553f843c04036778765cf68b027521 Mon Sep 17 00:00:00 2001
From: James George <25279263+jamesgeorge007@users.noreply.github.com>
Date: Sat, 14 Mar 2026 17:26:44 +0530
Subject: [PATCH] fix(common): prevent stored XSS in team member overflow
 tooltip (#5984)

---
 .../hoppscotch-common/assets/themes/tippy-themes.scss    | 9 +++++++++
 .../src/components/teams/MemberStack.vue                 | 6 +++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/packages/hoppscotch-common/assets/themes/tippy-themes.scss b/packages/hoppscotch-common/assets/themes/tippy-themes.scss
index 30adb241..db1ce75c 100644
--- a/packages/hoppscotch-common/assets/themes/tippy-themes.scss
+++ b/packages/hoppscotch-common/assets/themes/tippy-themes.scss
@@ -64,6 +64,15 @@
     }
   }
 
+  // Override truncation for multiline member-list tooltips
+  .tippy-box[data-theme~="member-list"] {
+    .tippy-content {
+      @apply whitespace-pre-line;
+      @apply block;
+      @apply overflow-auto;
+    }
+  }
+
   .tippy-box[data-theme~="popover"] {
     @apply bg-popover;
     @apply border-solid;
diff --git a/packages/hoppscotch-common/src/components/teams/MemberStack.vue b/packages/hoppscotch-common/src/components/teams/MemberStack.vue
index 7ea5a934..498ba354 100644
--- a/packages/hoppscotch-common/src/components/teams/MemberStack.vue
+++ b/packages/hoppscotch-common/src/components/teams/MemberStack.vue
@@ -15,7 +15,7 @@
     </div>
     <button
       v-if="props.showCount && props.teamMembers.length > maxMembersSoftLimit"
-      v-tippy="{ theme: 'tooltip', allowHTML: true }"
+      v-tippy="{ theme: 'tooltip member-list' }"
       :title="remainingSlicedMembers"
       class="text-[8px] z-10 inline-flex h-5 w-5 cursor-pointer items-center justify-center rounded-full bg-dividerDark text-secondaryDark ring-2 ring-primary focus:outline-none focus-visible:ring-2 focus-visible:ring-primaryDark"
       tabindex="0"
@@ -73,9 +73,9 @@ const remainingSlicedMembers = computed(
       .slice(maxMembersSoftLimit)
       .slice(0, maxMembersHardLimit)
       .map((member) => getUserWithRole(member as TeamMember))
-      .join(`,<br>`) +
+      .join(",\n") +
     (props.teamMembers.length - (maxMembersSoftLimit + maxMembersHardLimit) > 0
-      ? `,<br>${t("team.more_members", {
+      ? `,\n${t("team.more_members", {
           count:
             props.teamMembers.length -
             (maxMembersSoftLimit + maxMembersHardLimit),