-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bootstrap 3.3.7 XSS vulnerability #6178
Comments
I'm going to de-milestone this, as pending the long-awaited v.3.4 release of Twitter Bootstrap there's not much we can do. We've been waiting for that release since #5823. We're tracking the upstream issue here twbs/bootstrap#25679 (comment)
|
So twbs/bootstrap#25679 (comment)
It looks like the https://github.com/twbs/bootstrap/tree/master-xmr-v3-fixes/dist |
Does anyone has any news regarding when this will get released? I'd hate to have to fork this... |
Everyone is still waiting for the Bootstrap release. It was meant to be yesterday. |
Looks like |
@georgeliaw Super. Fancy doing a PR to update the files? Thanks! |
Any plans on merging the opened PR and creating the actual release to pull from pypi? |
Yup, it'll come when it comes. |
The version of Bootstrap being used is
3.3.7
which has reported XSS vulnerabilities and is coming up in our internal vulernability scans. The fix is supposed to come in the3.4.0
release, but that seems to have stalled for whatever reason. May need to look at patching it specifically for DRF or do a full upgrade to Bootstrap 4.DRF bootstrap.min.js:
https://github.com/encode/django-rest-framework/blob/b63099084f471fe3cd477fc5a5aa90cc97fca827/rest_framework/static/rest_framework/js/bootstrap.min.js
Issue report:
twbs/bootstrap#20184
Patch:
twbs/bootstrap#23687
3.4.0 release ticket:
twbs/bootstrap#25679
The text was updated successfully, but these errors were encountered: