First important part of this - https://nvd.nist.gov/vuln/detail/CVE-2019-8331
- I believe
we should get Bootstrap in Frio updated to version 3.4.1
as it's affected by this vulnerability. I've created PR #6736 for this. As it's my first PR for Friendica, I hope I've done it appropriately. (I realise the CVE notice only mentions 4.3.1 but you'll see from the Bootstrap release notes that V3 is affected too)
Beyond the XSS vulnerability, as I've been poking around with updating the XMPP addon, I've discovered that there is a conflict with converse.js and Frio as converse.js versions 3.x and newer use Bootstrap 4, and Frio uses Bootstrap 3. There's conflict with that scenario, witnessable if one tries using the converse widget from converse's own documentation site (where they apparently have Bootstrap 3 in use on the docs site).
I've done some Friendica discussion searching on the bootstrap topic, and it sounds like it's come up a bit in the past, but may be a rather large project to accomplish.
In spending some time looking at all the things that have changed between Bootstrap 3 and 4, it seems like it's a pretty good-sized list, but is it going to be unmanageable due to some factor that I'm not grokking from my limited experience with changing things like this?
I have started poking around with this change myself, just to see what happens as I do the modifications. It looks a little discouraging on the surface, but I also honestly haven't got very far in to switching things around. For someone who has done theme development in Friendica and is familiar with Bootstrap, I would love to hear their thoughts on this topic.
This is a potential security issue, you are being redirected to https://nvd.nist.gov In Bootstrap before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. Source: MITRE Description Last Modified: 02/20/2019 View Analysis Description In Bootstrap before 4.3.1, XSS is possible in the tooltip or popover data-template attrib...nvd.nist.gov