问题
There is a security vulnerability regarding Bootstrap 3.3.7. It says that "Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute." I am wondering if v3.3.7 is safe to use if the "data-target" attribute is not used.
回答1:
The so called 'vulnerability' only occurs if the data-target value relies on data injected by something external (directly or indirectly) AND is shown on a page where other users than the attacker are affected.
In other words this is NOT an issue if all your data-target attributes are made of hardcoded html text. It is also generally not an issue if this page is only seen by the attacker (self-hack ...).
For example you could also say jQuery .html() is a vulnerability, which is a more obvious case, but still vulnerable to XSS if you are a total web beginner or just did not pay attention.
So in general, avoid injecting unescaped user data in third-party: popups, tooltips, ... or anything where DOM is directly manipulated behind the scenes.
I personally do not consider this a big vulnerability, but it is nicer if a famous framework like bootstrap handles this case or explicitely names the method as unsafe to warn developers.
Chrome audit considers bootstrap 3.3.x a vulnerability (via synk):
Includes front-end JavaScript libraries with known security vulnerabilities
- Is Bootstrap 3.3.7 safe and secured if "data-target" attribute is unused?
- https://news.ycombinator.com/item?id=14989841
来源:https://stackoverflow.com/questions/52388366/is-bootstrap-3-3-7-safe-and-secured-if-data-target-attribute-is-unused