Describe the bug

On 1.x, implementing a Tooltip results in a XSS vulnerability. If a tooltips text is dynamic, it is possible to execute a script when the tooltip loads.

To Reproduce

Create a tooltip like this:

<div class="missing-photo" v-tooltip.bottom="{ text:myName }"> where myName is a string that contains an executable script, like: <style onload=alert(document.cookie)></style>.

Hover over the tooltip and you will see the script execute.

I think the issue is here. Rather than setting the text to innerHTML we might want to set it to innerText.