Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix XSS in data-target #23679

Merged
merged 2 commits into from
Aug 25, 2017
Merged

Fix XSS in data-target #23679

merged 2 commits into from
Aug 25, 2017

Conversation

Johann-S
Copy link
Member

@Johann-S Johann-S commented Aug 25, 2017
edited by bardiharborow
Loading

Fix XSS in our data-target (CVE-2016-10735).

Closes #20184
/CC @meeque

@Johann-S Johann-S requested a review from XhmikosR August 25, 2017 19:56
@meeque
Copy link
Contributor

meeque commented Aug 25, 2017

What about js/dist/util.js will CI generate these?

Asking because I have started from writing failing unit tests, and they still fail unless I also fix it over there.

Fyi, you can find these tests here:
https://github.com/meeque/bootstrap/tree/topic/20184-xss-in-data-target-attribute
I've already merged your fix into that.

@Johann-S
Copy link
Member Author

Yes Travis build our code and in this case update js/dist/util.js and only added a Visual test because when we fail to get a target they aren't any error so that's a bit difficult to test that with Travis and we don't have unit tests for util.js

Is it a correct fix for you ?

@meeque
Copy link
Contributor

meeque commented Aug 25, 2017

Yes, the fix looks fine.

I'll have a look around, and check if other features might be affected similarly. I'd open new issues in that case...

The qunit test that I wrote seem to work rather fine either way. Of course, for the positive case there is not much to check, so they just wait for a (very short) timeout, and assert that nothing has happened.

@Johann-S
Copy link
Member Author

Maybe you can create a PR which target my branch v4-xss-data-attribute with your unit test ? ☺️

@Johann-S
Copy link
Member Author

Thanks @meeque 👍

@Johann-S Johann-S merged commit 9612830 into v4-dev Aug 25, 2017
@Johann-S Johann-S deleted the v4-xss-data-attribute branch August 25, 2017 22:20
@mdo mdo mentioned this pull request Aug 25, 2017
Closed
This was referenced Nov 9, 2017
Closed
Closed
@MathiasReker MathiasReker mentioned this pull request Nov 12, 2018
Closed
@bardiharborow bardiharborow mentioned this pull request Dec 29, 2018
Closed
@github-actions github-actions bot mentioned this pull request Apr 19, 2021
Closed
@AASMACMX AASMACMX mentioned this pull request Feb 26, 2023
Open
@AASMACMX AASMACMX mentioned this pull request Apr 26, 2023
Open
@AASMACMX AASMACMX mentioned this pull request Jul 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@XhmikosR XhmikosR XhmikosR approved these changes

Assignees
No one assigned
Labels
js v4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Johann-S @meeque @XhmikosR