New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix some XSS in v3 #23687

Merged
merged 1 commit into from Sep 14, 2017

Conversation

Projects
None yet
3 participants
@Johann-S
Copy link
Member

Johann-S commented Aug 26, 2017

Fixes #20184 / CVE-2016-10735.

@Johann-S Johann-S added js v3 labels Aug 26, 2017

@Johann-S Johann-S requested review from mdo and XhmikosR Aug 26, 2017

@@ -208,8 +208,11 @@
var clickHandler = function (e) {
var href
var $this = $(this)
var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
var target = $this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7

This comment has been minimized.

@houndci-bot

houndci-bot Aug 26, 2017

Line is too long.

@Johann-S

This comment has been minimized.

Copy link
Member

Johann-S commented Aug 26, 2017

@XhmikosR

This comment has been minimized.

Copy link
Member

XhmikosR commented Aug 26, 2017

Yeah, I don't think this branch is right. We have changes in v3-dev branch and that is what you should target.

@Johann-S

This comment has been minimized.

Copy link
Member

Johann-S commented Aug 26, 2017

@mdo made a lot of work in this branch see : https://github.com/twbs/bootstrap/commits/v3.4.0-dev
maybe instead you should put your work on this branch

@Johann-S Johann-S force-pushed the v3-xss-data-target branch from 3c3e598 to 603f925 Aug 26, 2017

@@ -208,8 +208,13 @@
var clickHandler = function (e) {
var href
var $this = $(this)
var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
var target = $this.attr('data-target')
|| (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7

This comment has been minimized.

@houndci-bot

houndci-bot Aug 26, 2017

Line is too long.

@Johann-S Johann-S force-pushed the v3-xss-data-target branch from 603f925 to d9be1da Aug 26, 2017

@XhmikosR

This comment has been minimized.

Copy link
Member

XhmikosR commented Aug 26, 2017

But all I'm saying it's just when Mark is done, he should merge his changes in v3-dev. v3.4.0 seems a lot more specific, more of a WIP branch that will be merged to the base v3-dev one when done.

@Johann-S Johann-S merged commit 29f9237 into v3.4.0-dev Sep 14, 2017

1 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
continuous-integration/travis-ci/push The Travis CI build failed
Details
hound No violations found. Woof!

@Johann-S Johann-S deleted the v3-xss-data-target branch Sep 14, 2017

@rpkilby rpkilby referenced this pull request Feb 21, 2018

Closed

v3.4 release #25679

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment