Tooltip docs need to explain Jenkins behavior changes

[daniel-beck]

Describe your use-case which is not covered by existing documentation.

https://weekly.ci.jenkins.io/design-library/Tooltips/ does not mention that the behavior of tooltip has changed over time. As a result in invites developers to introduce XSS vulnerabilities in their code by letting them assume that tooltip has always behaved as documented.

Any plugin that is compatible with Jenkins before the introduction of html-tooltip needs to escape or sanitize content of tooltip.

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

[uhafner]

What is also missing: how can I make tooltips backward compatible: what needs to be done if I want to use HTML tooltips in Jenkins 2.380 and in the LTS 2.361.4? Should I use tooltip, html-tooltip, or data-html-tooltip? Or a mix?

[timja]

For backwards compatibility set both tooltip and data-html-tooltip. tooltip will be ignored if the html one is set on new versions