Bootstrap NES 2.3.x

2.3.5 (NES) - March 11, 2025

Notes

• This release backports remediations for several vulnerabilities and improves the attribute data management in several Bootstrap 2 components.
  • CVE-2016-10735
  • CVE-2018-14040
  • CVE-2018-14042
  • CVE-2019-8331
  • CVE-2024-6485
• Full Version: 2.3.2-bootstrap-2.3.5

Bug Fixes

• Alert:
  • Improve URL/hash extraction logic for href attribute
  • Improve handling and sanitization of selector values from data-target and href attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2016-10735).
• Button:
  • Improve handling of button state data passed through href and any data-*-text including data-complete-text and data-reset-text.
    • This fixes a medium severity XSS vulnerability (CVE-2024-6485)
    • Requires the DOMPurify library.
• Carousel:
  • Improve handling and sanitization of selector values from data-target attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2016-10735).
  • Improve URL/hash extraction logic for href attribute.
• Collapse:
  • Improve URL/hash extraction logic for href attribute.
  • Improve handling and sanitization of selector values from data-target and href attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2016-10735).
  • Improve handling and sanitization of values from data-parent attribute.
    • This fixes a medium severity XSS vulnerability (CVE-2018-14040).
• Dropdown:
  • Improve URL/hash extraction logic for href attribute.
  • Improve handling and sanitization of selector values from data-target and href attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2016-10735).
• Modal:
  • Improve URL/hash extraction logic for href attribute.
  • Improve handling and sanitization of selector values from data-target and href attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2016-10735).
• Popover:
  • Improve handling and sanitization of selector values from data-template and data-title attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2019-8331).
  • Popover now includes three new default properties to assist with XSS remediation:
    • sanitize : true
    • sanitizeFn : null
    • whiteList : DefaultWhitelist
      • See Bootstrap 3 Documentation for sanitization information and default white list values.
• Scrollspy:
  • Improve URL/hash extraction logic for href attribute.
• Tab:
  • Improve URL/hash extraction logic for href attribute.
  • Improve handling and sanitization of selector values from data-target and href attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2016-10735).
• Tooltip:
  • Improve handling and sanitization of selector values from data-container attribute.
    • This fixes a medium severity XSS vulnerability (CVE-2018-14042).
  • Improve handling and sanitization of selector values from data-template and data-title attributes.
    • This fixes a medium severity XSS vulnerability (CVE-2019-8331).
  • Improve handling and sanitization of data-content and data-title attributes.
  • Tooltip now includes three new default properties to assist with XSS remediation:
    • sanitize : true
    • sanitizeFn : null
    • whiteList : DefaultWhitelist
      • See Bootstrap 3 documentation for sanitization information and default white list values.

2.3.4 (NES) - January 31, 2025

Notes

• The .less source files are now included in the released package, allowing applications to directly access the Bootstrap NES component styles via Less instead of CSS.
• Full Version: 2.3.2-bootstrap-2.3.4

2.3.3 (NES) - Nov 14, 2024

Notes

• This is the initial release of Bootstrap NES 2.3.x. This release introduces no functional changes from Bootstrap 2.3.2`.
• Full Version: 2.3.2-bootstrap-2.3.3