leaflet
leaflet copied to clipboard
rstudio
Security: Update Bootstrap version
The version of Bootstrap bundled in Leaflet (https://github.com/rstudio/leaflet/blob/main/inst/htmlwidgets/plugins/Leaflet.awesome-markers/bootstrap.min.js) is 3.3.7. This version has several associated CVEs related to cross-site scripting vulnerabilities:
- CVE-2018-14040
- CVE-2018-14042
- CVE-2018-20676
- CVE-2018-20677
- CVE-2019-8331
The minimum version of Bootstrap without these vulnerabilities is 4.3.1. Would you consider updating the version of Bootstrap packaged in Leaflet?
Happy to contribute a PR if so.
We only use Bootstrap for glyphicons, it would be great if we could drop it. But glyphicons is not freely available except as packaged with Bootstrap 3. This gist might be a way out, mapping glyphicons to font-awesome.
There are two more things to note:
-
The version of Bootstrap that's bundled in leaflet is not included by default in all leaflet maps. Instead, it is only included in maps that use
leaflet::addAwesomeMarkers(), specifically with a glyphicon foricon. -
If the leaflet map is embedded in an R Markdown or Quarto document or Shiny app that uses a later version of Bootstrap, then leaflet's embedded version will be ignored and the newer version of Bootstrap is used. In other cases, e.g. standalone leaflet maps, you can use htmltools::suppressDependencies() to suppress the Bootstrap bundle entirely.
Thanks for the comments -- good to know that there is some mitigation, and that it's only used in specific circumstances.
I'm happy to provide a PR that either updates to the latest version of Bootstrap, or manually maps glyphicons to font-awesome equivalents (and soft deprecating glyphicons/Bootstrap). Please let me know if either of those options would be accepted.
So sorry @hedsnz. At this point I would take either an upgrade to Bootstrap 3.4.1 or the mapping to font-awesome. Thank you for offering.