Hey there! You're using an out-of-date browser, so this site probably looks pretty funny. Upgrade your browser for the full experience.

Bootstrap 3 Vulnerability

Earlier last year it was made known that Bootstrap 3.x suffers from a XSS vulnerability. This vulnerability allows malicious users to target the data-attribute and href attributes and pass code through. Here, you can access the progress on the fix.

Earlier last year it was made known that Bootstrap 3.x suffers from a XSS vulnerability. This┬ávulnerability allows malicious users to target the data-attribute and href attributes and pass code through. The vulnerability was “found in an application where data-target was based on user input and only passed through standard HTML entities encoding”. With Bootstrap 4 available, all work on Bootstrap 3.x has been stopped and there hasn’t been a fix for this issue, leaving sites that can’t upgrade to Bootstrap 4 to fend for themselves.

The Vulnerability

The user input is passed directly to the selector and there is no filtering. For instance:

The Fix

However in September, a Bootstrap maintainer named XhmikosR started working on a fix for all the users still on 3.x (as seen above). Currently the fix is waiting to be reviewed and approved, so it can go out as an official release. You can find the branch here.

Since the fix is available on Github though, you can go ahead and apply it as a patch while the release is still under review. For people that use a build system, I’ve pulled out all the Javascript and LESS files and placed them in a package on NPM. With this, you can pull down the package and point your build system to those files instead of Bootstrap’s and then when the release becomes official, just point back to the official files.

The official release however should be released soon.

Born and raised in
Louisville, Kentucky.

502.498.8470

223 S. Clay St

Work With Us

  • This field is for validation purposes and should be left unchanged.