Django-rest-framework: Bootstrap 3.3.7 XSS vulnerability

Created on 11 Sep 2018 · 9Comments · Source: encode/django-rest-framework

The version of Bootstrap being used is 3.3.7 which has reported XSS vulnerabilities and is coming up in our internal vulernability scans. The fix is supposed to come in the 3.4.0 release, but that seems to have stalled for whatever reason. May need to look at patching it specifically for DRF or do a full upgrade to Bootstrap 4.

DRF bootstrap.min.js:
https://github.com/encode/django-rest-framework/blob/b63099084f471fe3cd477fc5a5aa90cc97fca827/rest_framework/static/rest_framework/js/bootstrap.min.js

Issue report:
https://github.com/twbs/bootstrap/issues/20184

Patch:
https://github.com/twbs/bootstrap/pull/23687

3.4.0 release ticket:
https://github.com/twbs/bootstrap/issues/25679

Source

georgeliaw

All 9 comments

I'm going to de-milestone this, as pending the long-awaited v.3.4 release of Twitter Bootstrap there's not much we can do. We've been waiting for that release since #5823. We're tracking the upstream issue here https://github.com/twbs/bootstrap/issues/25679#issuecomment-420199818

If someone can bundle the patched version, I'm happy to review that.
If someone can take on the upgrade to v4, I'm happy to review that.

carltongibson on 17 Sep 2018

So https://github.com/twbs/bootstrap/issues/25679#issuecomment-433899778

You can always use the master-xmr-v3-fixes branch in the meantime...

It looks like the dist folder there contains everything we need. Anyone care to verify and bundle up a PR?

https://github.com/twbs/bootstrap/tree/master-xmr-v3-fixes/dist

carltongibson on 29 Oct 2018

Does anyone has any news regarding when this will get released? I'd hate to have to fork this...

OmriAharon on 11 Dec 2018

Everyone is still waiting for the Bootstrap release. It was meant to be yesterday.

carltongibson on 11 Dec 2018

👍1

https://github.com/twbs/bootstrap/issues/25679#issuecomment-445909037

rpkilby on 11 Dec 2018

👍1

Looks like 3.4.0 has been released:
https://github.com/twbs/bootstrap/pull/27288

georgeliaw on 19 Dec 2018

@georgeliaw Super. Fancy doing a PR to update the files? Thanks!

carltongibson on 19 Dec 2018

Any plans on merging the opened PR and creating the actual release to pull from pypi?

maciejstromich on 7 Jan 2019

👍1

Yup, it'll come when it comes.

tomchristie on 8 Jan 2019

👎1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

import error rest_framework_httpsignature.authentication django rest frame work?????????????????????????????

hemanthsp · 3Comments

How to set a field type on SerializerMethodField for OpenAPI schema generation?

Lucidiot · 3Comments

dot character excluded from viewset lookup_field url conf

macropin · 4Comments

Larger floats incorrectly pass DecimalField validation

ryankask · 4Comments

Key name in AuthToken authorization

jpocentek · 3Comments