Today we’re shipping Bootstrap v4.3.1 and v3.4.1 to patch an XSS vulnerability, CVE-2019-8331. Also included in v4.3.1 is a small fix to some RFS (responsive font sizes) mixins that were added in v4.3.0.
Earlier this week a developer reported an XSS issue similar to
vulnerability that was fixed in v4.1.2 and v3.4.0: the
data-template attribute for our tooltip
and popover plugins lacked proper XSS sanitization of the HTML that
can be passed into the attribute’s value.
In light of this vulnerability, we’re also auditing our security
reporting workflows to ensure they’re up to date. This will include
steps like adding a
SECURITY.md file to our repository and
ensuring our private channels and processes are up to date and
documented with the team.
Thank you to poiu for reporting the vulnerability to the Bootstrap Drupal project and Mark Carver from the Bootstrap Drupal project for responsibly disclosing the issue to us. Also a massive thank you to @Johann-S, @Xhmikosr, and @bardiharborow on our team for the fast turnaround on today’s releases.