Earlier last year it was made known that Bootstrap 3.x suffers from a XSS vulnerability. This vulnerability allows malicious users to target the data-attribute and href attributes and pass code through. The vulnerability was “found in an application where data-target was based on user input and only passed through standard HTML entities encoding”. With Bootstrap 4 available, all work on Bootstrap 3.x has been stopped and there hasn’t been a fix for this issue, leaving sites that can’t upgrade to Bootstrap 4 to fend for themselves.
The user input is passed directly to the selector and there is no filtering. For instance:
However in September, a Bootstrap maintainer named XhmikosR started working on a fix for all the users still on 3.x (as seen above). Currently the fix is waiting to be reviewed and approved, so it can go out as an official release. You can find the branch here.
The official release however should be released soon.
Dive into the Sanity Structure Builder
By:Mark Biek on 6/13/2021
Sanity is the super fast, super customizable CMS that we're using as the backend for the new via.studio website. One of the more powerful concepts that Sanity is the Structure Builder which gives you the ability to customize how content is presented in the Sanity admin.Read More »
Email @ 50: Email Development
By:Nick Stewart on 8/6/2021
Email development has always been the bane of a web developer's existence. You have to use outdated methods and don't have access to the full modern web to create a nice looking email that thousands of people will see. It's like asking a Nascar mechanic to create a car using only tools from the 90s - it can be done but its more than a pain.Read More »