Bootstrap 3.3.0 represents an incremental update to the widely-used front-end framework, building upon the foundation laid by version 3.2.0. Both versions share the same core mission: to empower developers with a robust toolkit for crafting responsive, mobile-first web projects.
A key area of divergence lies in the development dependencies. Version 3.3.0 showcases updates in its Grunt-based build process, leveraging newer versions of tools like grunt-contrib-less, grunt-contrib-jshint, and grunt-autoprefixer, potentially offering improved performance and streamlined workflows during development. Notably, remarkable is now present as a dev dependency which could imply changes related to markdown processing. Conversely, version 3.2.0 relies on older versions of these tools and includes markdown as a dev dependency, hinting at differing approaches to certain build tasks.
For developers using Bootstrap, the choice between these versions may hinge on their existing toolchains and dependency management strategies. If a project already utilizes newer versions of Grunt plugins, upgrading to 3.3.0 is a logical step, as it ensures compatibility and leverages the latest improvements. However, projects deeply ingrained with the specific versions of build tools used in 3.2.0 may find it easier to stick with the older release to avoid potential conflicts. Both versions provide the dependable CSS framework for designing responsive web applications, and developers can rest assured that both are stable releases.
All the vulnerabilities related to the version 3.3.0 of the package
XSS vulnerability that affects bootstrap
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Bootstrap vulnerable to Cross-Site Scripting (XSS)
In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.
See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.
Bootstrap Cross-site Scripting vulnerability
In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
bootstrap Cross-site Scripting vulnerability
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Bootstrap Vulnerable to Cross-Site Scripting
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
For bootstrap 4.x upgrade to 4.3.1 or later.
For bootstrap 3.x upgrade to 3.4.1 or later.
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
