CVE-2023-46998 from 3.2.0 to 6.0.0 | Fix Plan

[Lam1109]

Dear Bootbox development community,

May I know if we have any plan to fix CVE-2023-46998? And may I know the ETA of the new release?

Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.

Appreciate your feedback.

[tiesont]

No, no plans at the moment. Frankly, I consider it out of scope for Bootbox.

That being said, at some point we'll probably rewrite the core of Bootbox to use only plain JavaScript (to remove our jQuery dependency) but there's no roadmap for that either. That work would probably address most of the issues noted in that advisory.

[tiesont]

Also: #661

[tarlepp]

This is for bootstrap itself and not issue in bootbox - we cannot fix something that is an issue in library that we use - so I'm closing this.

[Seb33300]

Hi @tarlepp, I don't really understand, if the vulnerability comes from Bootstrap, why that vulnerability was not reported on the Bootstrap project but on Bootbox?

[tiesont]

Hi @tarlepp, I don't really understand, if the vulnerability comes from Bootstrap, why that vulnerability was not reported on the Bootstrap project but on Bootbox?

You'd have to ask the reporter, not us.

The gist is that the reporting user expects Bootbox to sanitize "user" input when we construct the Bootstrap modal. I don't see that as being in scope for Bootbox - if a developer is accepting content from an external source, they know (or should know) what constitutes valid content, and should process the content accordingly before creating a dialog.

Do frameworks like React sanitize content for you? Sure, but Bootbox is not a UI framework - it's a small helper utility designed to create Bootstrap modals dynamically, with some convenience functions added for approximating the native JavaScript modals.

It's a pretty big ask to expect the few of us who maintain this project to spend a lot of time implementing and maintaining sanitizer code, so... it's not happening anytime soon.

[Seb33300]

If we take the Popover component from Bootstrap: https://getbootstrap.com/docs/5.3/components/popovers/#options

HTML is not rendered by default and we must set the html option to true if we want to render HTML.
Maybe a similar option should fix the vulnerability.

[tiesont]

If we take the Popover component from Bootstrap: https://getbootstrap.com/docs/5.3/components/popovers/#options

HTML is not rendered by default and we must set the html option to true if we want to render HTML. Maybe a similar option should fix the vulnerability.

Doesn't really fix anything, just kicks the can further down the road. That, and if a dev can handle needing to opt into what is currently the default behavior, then they should be able to handle reading the documentation where we explicitly (in multiple places) call out that we don't sanitize content.

I could add this option pretty easily, but it would default to "true", since I'm not breaking existing functionality just to appease someone who had the time to work up an exploit but not enough time to create even a rudimentary PR.

I'm aware that it sounds like I'm being negative here, which is not my intent. Just stating my position and why we have chosen not to address this or the related (and pinned) issue.

Keep in mind, any significant changes require both adding new tests and fixing any failing tests, so it's not like it's a case of "add ten lines of code and then head to the pub to celebrate".