From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
Date: Fri, 30 May 2025 18:13:34 +0200
Subject: CVE-2025-1647

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability
in Bootstrap allows Cross-Site Scripting (XSS)

DOM-based cross-site scripting (XSS) via DOM clobbering occurs when an attacker
manipulates the Document Object Model (DOM) to overwrite
or "clobber" an existing DOM object, leading to the execution
of malicious scripts.

document.implementation should be tested against well known type

Use DOMParser if possible (supported since 2015) in order to create a DoS in case
of document.implementation overriden.

bug: https://www.herodevs.com/vulnerability-directory/cve-2025-1647
bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2025-1647
---
 js/tooltip.js | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/js/tooltip.js b/js/tooltip.js
index c8c1c8c..a5b923c 100644
--- a/js/tooltip.js
+++ b/js/tooltip.js
@@ -99,6 +99,7 @@
   }
 
   function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {
+    let doc = null
     if (unsafeHtml.length === 0) {
       return unsafeHtml
     }
@@ -107,16 +108,21 @@
       return sanitizeFn(unsafeHtml)
     }
 
-    // IE 8 and below don't support createHTMLDocument
-    if (!document.implementation || !document.implementation.createHTMLDocument) {
-      return unsafeHtml
+    try {
+        doc = new DOMParser().parseFromString(unsafeHtml, 'text/html');
+    } catch (_) {}
+    if (!doc || !doc.documentElement) {
+      // IE 8 and below don't support createHTMLDocument
+      if (!document.implementation || !(document.implementation instanceof DOMImplementation) || document.implementation.createHTMLDocument === undefined) {
+        throw new Error('Could not sanitize CVE-2025-1647');
+      }
+      doc = document.implementation.createHTMLDocument('sanitization')
+      doc.body.innerHTML = unsafeHtml
     }
-
-    var createdDocument = document.implementation.createHTMLDocument('sanitization')
-    createdDocument.body.innerHTML = unsafeHtml
+    const body = doc.body || doc.documentElement;
 
     var whitelistKeys = $.map(whiteList, function (el, i) { return i })
-    var elements = $(createdDocument.body).find('*')
+    var elements = $(body).find('*')
 
     for (var i = 0, len = elements.length; i < len; i++) {
       var el = elements[i]
@@ -138,7 +144,7 @@
       }
     }
 
-    return createdDocument.body.innerHTML
+    return body.innerHTML
   }
 
   // TOOLTIP PUBLIC CLASS DEFINITION