Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
twitter-bootstrap3 (3.4.1+dfsg-3deepin1) unstable; urgency=medium

* Team upload.
* Add patch to fix CVE-2024-6485, CVE-2025-1647:
XSS vulnerability in button.js data-loading-text attribute.
(Closes: #1084060, #1105899)

-- deepin-ci-robot <packages@deepin.org> Tue, 27 May 2025 02:15:00 +0800

twitter-bootstrap3 (3.4.1+dfsg-3) unstable; urgency=medium

[ Yadd ]
Expand Down
41 changes: 41 additions & 0 deletions debian/patches/2002_CVE-2024-6485.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
Description: Fix XSS vulnerability in button.js data-loading-text attribute
This patch addresses CVE-2024-6485 and CVE-2025-1647 by adding HTML sanitization
to the button plugin's setState method, preventing cross-site scripting attacks
through malicious data-loading-text attributes.
Origin: https://github.com/entreprise7pro/bootstrap/commit/769c032fd93d6f2c07599e096a736c5d09c041cf
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084060
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105899
Forwarded: not-needed
Author: Klemen <16374228+KlemenDEV@users.noreply.github.com>
Reviewed-by: deepin-ci-robot <packages@deepin.org>
Last-Update: 2025-05-27

Index: twitter-bootstrap3/js/button.js
===================================================================
--- twitter-bootstrap3.orig/js/button.js
+++ twitter-bootstrap3/js/button.js
@@ -25,6 +25,15 @@
loadingText: 'loading...'
}

+ Button.prototype.sanitize = function (unsafeText) {
+ return unsafeText
+ .replace(/&/g, "&amp;")
+ .replace(/</g, "&lt;")
+ .replace(/>/g, "&gt;")
+ .replace(/"/g, "&quot;")
+ .replace(/'/g, "&#039;");
+ }
+
Button.prototype.setState = function (state) {
var d = 'disabled'
var $el = this.$element
@@ -37,7 +46,7 @@

// push to event loop to allow forms to submit
setTimeout($.proxy(function () {
- $el[val](data[state] == null ? this.options[state] : data[state])
+ $el[val](data[state] == null ? this.options[state] : this.sanitize(data[state]))

if (state == 'loadingText') {
this.isLoading = true
1 change: 1 addition & 0 deletions debian/patches/series
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
2001_privacy.patch
2002_CVE-2024-6485.patch
Loading