Bootstrap NES 2.3.x Release Notes

2.3.5 (NES) - March 11, 2025

Notes

This release backports remediations for several vulnerabilities and improves the attribute data management in several Bootstrap 2 components.
Full Version: 2.3.2-bootstrap-2.3.5

Note

We strongly recommend that you add and use the DOMPurify library to get the proper improvements and protection for the Bootstrap NES versions 2.3.5 and later.

Note

See the new default values for Tooltip and Popover described below.

Bug Fixes

Alert:
- Improve URL/hash extraction logic for href attribute
- Improve handling and sanitization of selector values from data-target and href attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2016-10735).
Button:
- Improve handling of button state data passed through href and any data-*-text including data-complete-text and data-reset-text.
  - This fixes a medium severity XSS vulnerability (CVE-2024-6485)
  - Requires the DOMPurify library.
Carousel:
- Improve handling and sanitization of selector values from data-target attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2016-10735).
- Improve URL/hash extraction logic for href attribute.
Collapse:
- Improve URL/hash extraction logic for href attribute.
- Improve handling and sanitization of selector values from data-target and href attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2016-10735).
- Improve handling and sanitization of values from data-parent attribute.
  - This fixes a medium severity XSS vulnerability (CVE-2018-14040).
Dropdown:
- Improve URL/hash extraction logic for href attribute.
- Improve handling and sanitization of selector values from data-target and href attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2016-10735).
Modal:
- Improve URL/hash extraction logic for href attribute.
- Improve handling and sanitization of selector values from data-target and href attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2016-10735).
Popover:
- Improve handling and sanitization of selector values from data-template and data-title attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2019-8331).
- Popover now includes three new default properties to assist with XSS remediation:
  - sanitize : true
  - sanitizeFn : null
  - whiteList : DefaultWhitelist
    - See Bootstrap 3 Documentation for sanitization information and default white list values.
Scrollspy:
- Improve URL/hash extraction logic for href attribute.
Tab:
- Improve URL/hash extraction logic for href attribute.
- Improve handling and sanitization of selector values from data-target and href attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2016-10735).
Tooltip:
- Improve handling and sanitization of selector values from data-container attribute.
  - This fixes a medium severity XSS vulnerability (CVE-2018-14042).
- Improve handling and sanitization of selector values from data-template and data-title attributes.
  - This fixes a medium severity XSS vulnerability (CVE-2019-8331).
- Improve handling and sanitization of data-content and data-title attributes.
- Tooltip now includes three new default properties to assist with XSS remediation:
  - sanitize : true
  - sanitizeFn : null
  - whiteList : DefaultWhitelist
    - See Bootstrap 3 documentation for sanitization information and default white list values.

2.3.4 (NES) - January 31, 2025

Notes

The .less source files are now included in the released package, allowing applications to directly access the Bootstrap NES component styles via Less instead of CSS.
Full Version: 2.3.2-bootstrap-2.3.4

2.3.3 (NES) - Nov 14, 2024

Notes

This is the initial release of Bootstrap NES 2.3.x. This release introduces no functional changes from Bootstrap 2.3.2`.
Full Version: 2.3.2-bootstrap-2.3.3