From efca80bb5bb34546a2e7a9488b89f71457d2ad92 Mon Sep 17 00:00:00 2001
From: Johann-S <johann.servoire@gmail.com>
Date: Wed, 30 May 2018 09:41:05 +0200
Subject: [PATCH 1/3] fix(tooltip): xss in container option

---
 js/src/tooltip.js            |  2 +-
 js/tests/visual/tooltip.html | 53 ++++++++++++++++++++++--------------
 2 files changed, 34 insertions(+), 21 deletions(-)

diff --git a/js/src/tooltip.js b/js/src/tooltip.js
index ed10057ed07e..3d4e93f2b8f4 100644
--- a/js/src/tooltip.js
+++ b/js/src/tooltip.js
@@ -273,7 +273,7 @@ const Tooltip = (($) => {
         const attachment = this._getAttachment(placement)
         this.addAttachmentClass(attachment)
 
-        const container = this.config.container === false ? document.body : $(this.config.container)
+        const container = this.config.container === false ? document.body : $(document).find(this.config.container)
 
         $(tip).data(this.constructor.DATA_KEY, this)
 
diff --git a/js/tests/visual/tooltip.html b/js/tests/visual/tooltip.html
index 91713044ab13..d81b018cc525 100644
--- a/js/tests/visual/tooltip.html
+++ b/js/tests/visual/tooltip.html
@@ -27,27 +27,40 @@ <h1>Tooltip <small>Bootstrap Visual Test</small></h1>
 
       <hr>
 
-      <p>
-        <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="auto" title="Tooltip on auto">
-          Tooltip on auto
-        </button>
-        <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="top" title="Tooltip on top">
-          Tooltip on top
-        </button>
-        <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="right" title="Tooltip on right">
-          Tooltip on right
-        </button>
-        <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="bottom" title="Tooltip on bottom">
-          Tooltip on bottom
-        </button>
-        <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="left" title="Tooltip on left">
-          Tooltip on left
-        </button>
-        <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-html="true" title="<em>Tooltip</em> <u>with</u> <b>HTML</b>">
-          Tooltip with HTML
-        </button>
-      </p>
+      <div class="row">
+        <p>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="auto" title="Tooltip on auto">
+            Tooltip on auto
+          </button>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="top" title="Tooltip on top">
+            Tooltip on top
+          </button>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="right" title="Tooltip on right">
+            Tooltip on right
+          </button>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="bottom" title="Tooltip on bottom">
+            Tooltip on bottom
+          </button>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="left" title="Tooltip on left">
+            Tooltip on left
+          </button>
+        </p>
+      </div>
+      <div class="row">
+        <p>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="left" title="Tooltip with XSS" data-container="<img src=1 onerror=alert(123) />">
+            Tooltip with XSS
+          </button>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-placement="left" title="Tooltip with container" data-container="#customContainer">
+            Tooltip with container
+          </button>
+          <button type="button" class="btn btn-secondary" data-toggle="tooltip" data-html="true" title="<em>Tooltip</em> <u>with</u> <b>HTML</b>">
+            Tooltip with HTML
+          </button>
+        </p>
+      </div>
       <div id="target" title="Test tooltip on transformed element"></div>
+      <div id="customContainer"></div>
     </div>
 
     <script src="../../../assets/js/vendor/jquery-slim.min.js"></script>

From 3ba186313e9e651bbd52a6a3a0305891dee0a621 Mon Sep 17 00:00:00 2001
From: Johann-S <johann.servoire@gmail.com>
Date: Wed, 30 May 2018 09:46:50 +0200
Subject: [PATCH 2/3] fix(collapse): xss in parent option

---
 js/src/collapse.js            |  2 +-
 js/tests/visual/collapse.html | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/js/src/collapse.js b/js/src/collapse.js
index a756542273fb..2c48cf545205 100644
--- a/js/src/collapse.js
+++ b/js/src/collapse.js
@@ -289,7 +289,7 @@ const Collapse = (($) => {
           parent = this._config.parent[0]
         }
       } else {
-        parent = $(this._config.parent)[0]
+        parent = document.querySelector(this._config.parent)
       }
 
       const selector =
diff --git a/js/tests/visual/collapse.html b/js/tests/visual/collapse.html
index 3005920957de..24698d764f12 100644
--- a/js/tests/visual/collapse.html
+++ b/js/tests/visual/collapse.html
@@ -54,6 +54,20 @@ <h5 class="mb-0">
             </div>
           </div>
         </div>
+        <div class="card">
+          <div class="card-header" role="tab" id="headingFour">
+            <h5 class="mb-0">
+              <a class="collapsed" data-toggle="collapse" href="#collapseFour" aria-expanded="false" aria-controls="collapseFour">
+                Collapsible Group Item with XSS in data-parent
+              </a>
+            </h5>
+          </div>
+          <div id="collapseFour" class="collapse" data-parent="<img src=1 onerror=alert(123) />" role="tabpanel" aria-labelledby="headingFour">
+            <div class="card-body">
+              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor, sunt aliqua put a bird on it squid single-origin coffee nulla assumenda shoreditch et. Nihil anim keffiyeh helvetica, craft beer labore wes anderson cred nesciunt sapiente ea proident. Ad vegan excepteur butcher vice lomo. Leggings occaecat craft beer farm-to-table, raw denim aesthetic synth nesciunt you probably haven't heard of them accusamus labore sustainable VHS.
+            </div>
+          </div>
+        </div>
       </div>
     </div>
 

From 3229efc0811df29765c1d0a949c85362378b0628 Mon Sep 17 00:00:00 2001
From: Johann-S <johann.servoire@gmail.com>
Date: Wed, 30 May 2018 09:50:13 +0200
Subject: [PATCH 3/3] fix(scrollspy): xss in target option

---
 js/src/scrollspy.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/js/src/scrollspy.js b/js/src/scrollspy.js
index 091b320bd9bf..90905b05dd80 100644
--- a/js/src/scrollspy.js
+++ b/js/src/scrollspy.js
@@ -115,7 +115,7 @@ const ScrollSpy = (($) => {
 
       this._scrollHeight = this._getScrollHeight()
 
-      const targets = $.makeArray($(this._selector))
+      const targets = $.makeArray(document.querySelectorAll(this._selector))
 
       targets
         .map((element) => {