twbs / bootstrap / 28308867162

94%

main: 96%

push

github

Sanitizer: block data:/vbscript: URLs (XSS hardening) (#42549)

* Sanitizer: block data:/vbscript: URLs in allowed attributes

The sanitizer's SAFE_URL_PATTERN only rejected javascript:, so a
data:text/html (or vbscript:) URL in an href/src passed the allowList —
an XSS vector via data-bs-title/data-bs-content. Reject data: and
vbscript: in SAFE_URL_PATTERN and re-allow only safe base64 image/video/
audio data URLs via a restored DATA_URL_PATTERN. Fixes #42443.

* Bump bundlewatch size thresholds

* Sanitizer: drop redundant 0-9 from base64 data-URI char class

\d already matches 0-9, so the explicit 0-9 in the same class was dead
weight. Functionally identical; clears the CodeQL overly-permissive-range
alert on the overlap.

* Build: bump bundle.js bundlewatch threshold for sanitizer additions

1053 of 1175 branches covered (89.62%)

Branch coverage included in aggregate %.

3 of 3 new or added lines in 1 file covered. (100.0%)

2980 of 3102 relevant lines covered (96.07%)

218.75 hits per line