3.4.1 Tooltip sanitization breaks popover with tables

[victornpb]

Is there any reason why <table> is not whitelisted by the sanitizeHtml function?

https://github.com/twbs/bootstrap-sass/blob/b34765d8a6aa775816c59012b2d6b30c4c66a8e9/assets/javascripts/bootstrap.js#L1313

This is was breaking change for us realeased as a patch.

Looking at the source code I found that I could set saniteze: false, but I don't see why it would be required to turn sanitization off completely just to be able to use tables. Are there any known vulnerabilities regarding tables that I'm not aware of?

$('#button').popover({
  html: true,
  content: function () {
    return `
        <div> Table below
            <table><tr><td>Foo:</td><td>bar</td></tr></table>
       </div>
    `;
  }
})

Minimal reproduction: https://jsfiddle.net/Victornpb/u1q7cjft/

[Johann-S]

Hi @victornpb,

We cannot whitelist every html elements, but you can whitelist just what you need, you'll find some information about how to do so here: https://getbootstrap.com/docs/3.4/javascript/#js-sanitizer

[victornpb]

My question is, is there any intrinsic security issue with tables that I'm not aware of? Because I also don't want to blindly whitelist something that I don't fully understand.

[Johann-S]

You'll find everything in the OWASP website see: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE