If user input reaches HoverProvider while supportHml is set to true it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input. Likelihood: LOW Confidence: LOW CWE: - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP: - A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection