Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Update Bootstrap version #879

Open
hedsnz opened this issue Aug 28, 2023 · 5 comments
Open

Security: Update Bootstrap version #879

hedsnz opened this issue Aug 28, 2023 · 5 comments

Comments

@hedsnz
Copy link

hedsnz commented Aug 28, 2023

The version of Bootstrap bundled in Leaflet (https://github.com/rstudio/leaflet/blob/main/inst/htmlwidgets/plugins/Leaflet.awesome-markers/bootstrap.min.js) is 3.3.7. This version has several associated CVEs related to cross-site scripting vulnerabilities:

The minimum version of Bootstrap without these vulnerabilities is 4.3.1. Would you consider updating the version of Bootstrap packaged in Leaflet?

Happy to contribute a PR if so.

@jcheng5
Copy link
Member

jcheng5 commented Aug 30, 2023

We only use Bootstrap for glyphicons, it would be great if we could drop it. But glyphicons is not freely available except as packaged with Bootstrap 3. This gist might be a way out, mapping glyphicons to font-awesome.

@gadenbuie
Copy link
Member

There are two more things to note:

  1. The version of Bootstrap that's bundled in leaflet is not included by default in all leaflet maps. Instead, it is only included in maps that use leaflet::addAwesomeMarkers(), specifically with a glyphicon for icon.

  2. If the leaflet map is embedded in an R Markdown or Quarto document or Shiny app that uses a later version of Bootstrap, then leaflet's embedded version will be ignored and the newer version of Bootstrap is used. In other cases, e.g. standalone leaflet maps, you can use htmltools::suppressDependencies() to suppress the Bootstrap bundle entirely.

@hedsnz
Copy link
Author

hedsnz commented Nov 22, 2023

Thanks for the comments -- good to know that there is some mitigation, and that it's only used in specific circumstances.

I'm happy to provide a PR that either updates to the latest version of Bootstrap, or manually maps glyphicons to font-awesome equivalents (and soft deprecating glyphicons/Bootstrap). Please let me know if either of those options would be accepted.

@hedsnz
Copy link
Author

hedsnz commented Jun 17, 2024

@jcheng5 following up on the above

@jcheng5
Copy link
Member

jcheng5 commented Jun 18, 2024

So sorry @hedsnz. At this point I would take either an upgrade to Bootstrap 3.4.1 or the mapping to font-awesome. Thank you for offering.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants