-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Update Bootstrap version #879
Comments
We only use Bootstrap for glyphicons, it would be great if we could drop it. But glyphicons is not freely available except as packaged with Bootstrap 3. This gist might be a way out, mapping glyphicons to font-awesome. |
There are two more things to note:
|
Thanks for the comments -- good to know that there is some mitigation, and that it's only used in specific circumstances. I'm happy to provide a PR that either updates to the latest version of Bootstrap, or manually maps glyphicons to font-awesome equivalents (and soft deprecating glyphicons/Bootstrap). Please let me know if either of those options would be accepted. |
@jcheng5 following up on the above |
So sorry @hedsnz. At this point I would take either an upgrade to Bootstrap 3.4.1 or the mapping to font-awesome. Thank you for offering. |
The version of Bootstrap bundled in Leaflet (https://github.com/rstudio/leaflet/blob/main/inst/htmlwidgets/plugins/Leaflet.awesome-markers/bootstrap.min.js) is 3.3.7. This version has several associated CVEs related to cross-site scripting vulnerabilities:
The minimum version of Bootstrap without these vulnerabilities is 4.3.1. Would you consider updating the version of Bootstrap packaged in Leaflet?
Happy to contribute a PR if so.
The text was updated successfully, but these errors were encountered: