Bootstrap 3.3.7 XSS vulnerability

[georgeliaw]

The version of Bootstrap being used is 3.3.7 which has reported XSS vulnerabilities and is coming up in our internal vulernability scans. The fix is supposed to come in the 3.4.0 release, but that seems to have stalled for whatever reason. May need to look at patching it specifically for DRF or do a full upgrade to Bootstrap 4.

DRF bootstrap.min.js:
https://github.com/encode/django-rest-framework/blob/b63099084f471fe3cd477fc5a5aa90cc97fca827/rest_framework/static/rest_framework/js/bootstrap.min.js

Issue report:
twbs/bootstrap#20184

Patch:
twbs/bootstrap#23687

3.4.0 release ticket:
twbs/bootstrap#25679

[carltongibson]

I'm going to de-milestone this, as pending the long-awaited v.3.4 release of Twitter Bootstrap there's not much we can do. We've been waiting for that release since #5823. We're tracking the upstream issue here twbs/bootstrap#25679 (comment)

• If someone can bundle the patched version, I'm happy to review that.
• If someone can take on the upgrade to v4, I'm happy to review that.

[carltongibson]

So twbs/bootstrap#25679 (comment)

You can always use the master-xmr-v3-fixes branch in the meantime...

It looks like the dist folder there contains everything we need. Anyone care to verify and bundle up a PR?

https://github.com/twbs/bootstrap/tree/master-xmr-v3-fixes/dist

[OmriAharon]

Does anyone has any news regarding when this will get released? I'd hate to have to fork this...

[carltongibson]

Everyone is still waiting for the Bootstrap release. It was meant to be yesterday.

[rpkilby]

twbs/bootstrap#25679 (comment)

[georgeliaw]

Looks like 3.4.0 has been released:
twbs/bootstrap#27288

[carltongibson]

@georgeliaw Super. Fancy doing a PR to update the files? Thanks!

[maciejstromich]

Any plans on merging the opened PR and creating the actual release to pull from pypi?

[tomchristie]

Yup, it'll come when it comes.