Bootstrap 3.4.0 represents an evolution from its predecessor, version 3.3.7, showcasing significant updates primarily in its development dependencies. While both versions share the core mission of providing a responsive, mobile-first front-end framework, the toolchain used to build and test them has changed considerably.
Notably, Bootstrap 3.4.0 introduces several new devDependencies, including ip, stylelint, autoprefixer, grunt-postcss, grunt-stylelint, replace-in-file, and stylelint-order, signaling a strengthened emphasis on code quality, modern CSS practices and automated styling checks. The testing setup is significantly revamped using Karma test runner, a complete change from the previous version's grunt-contrib-qunit. This shift indicates a move toward a more robust and versatile testing environment. Furthermore, dependencies like markdown-it and grunt-jekyll are updated to later versions suggesting improvements in documentation generation processes.
On the other hand, Bootstrap 3.3.7 relies on older versions of tools like grunt-csscomb, grunt-saucelabs, grunt-autoprefixer and also includes grunt-contrib-csslint, grunt-contrib-htmlmin, and grunt-contrib-compress, which are absent in the newer version.
For developers, this transition implies that contributing to and extending Bootstrap 3.4.0 requires familiarity with more recent tooling and a renewed focus on coding standards enforced by Stylelint. The core functionality of Bootstrap remains consistent, focusing on grids, components, and utilities for web development, but the underlying build process and quality assurance measures have been notably refined.
All the vulnerabilities related to the version 3.4.0 of the package
Bootstrap Vulnerable to Cross-Site Scripting
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
For bootstrap 4.x upgrade to 4.3.1 or later.
For bootstrap 3.x upgrade to 3.4.1 or later.
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Bootstrap Cross-Site Scripting (XSS) vulnerability
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
