!Friendica Developers

Hey all!

First important part of this - https://nvd.nist.gov/vuln/detail/CVE-2019-8331 - I believe we should get Bootstrap in Frio updated to version 3.4.1 as it's affected by this vulnerability. I've created PR #6736 for this. As it's my first PR for Friendica, I hope I've done it appropriately. (I realise the CVE notice only mentions 4.3.1 but you'll see from the Bootstrap release notes that V3 is affected too)

Beyond the XSS vulnerability, as I've been poking around with updating the XMPP addon, I've discovered that there is a conflict with converse.js and Frio as converse.js versions 3.x and newer use Bootstrap 4, and Frio uses Bootstrap 3. There's conflict with that scenario, witnessable if one tries using the converse widget from converse's own documentation site (where they apparently have Bootstrap 3 in use on the docs site).

I've done some Friendica discussion searching on the bootstrap topic, and it sounds like it's come up a bit in the past, but may be a rather large project to accomplish.

In spending some time looking at all the things that have changed between Bootstrap 3 and 4, it seems like it's a pretty good-sized list, but is it going to be unmanageable due to some factor that I'm not grokking from my limited experience with changing things like this?

I have started poking around with this change myself, just to see what happens as I do the modifications. It looks a little discouraging on the surface, but I also honestly haven't got very far in to switching things around. For someone who has done theme development in Friendica and is familiar with Bootstrap, I would love to hear their thoughts on this topic.

#frio #friendica #theme #securityalert