[Security] Bump bootstrap from 3.4.1 to 4.3.1

[dependabot-preview]

Bumps bootstrap from 3.4.1 to 4.3.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects bootstrap
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.

Affected versions: < 4.1.2

Release notes

Sourced from bootstrap's releases.

v4.3.1

• Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer
• Fixed a small issue with our RFS (responsive font sizes) mixins

v4.3.0

Highlights

• New: Added .stretched-link utility to make any anchor the size of it's nearest position: relative parent, perfect for entirely clickable cards!
• New: Added .text-break utility for applying word-break: break-word
• New: Added .rounded-sm and .rounded-lg for small and large border-radius.
• New: Added .modal-dialog-scrollable modifier class for scrolling content within a modal.
• New: Added responsive .list-group-horizontal modifier classes for displaying list groups as a horizontal row.
• Improved: Reduced our compiled CSS by using null for variables that by default inherit their values from other elements (e.g., $headings-color was inherit and is now null until you modifier it in your custom CSS).
• Improved: Badge focus styles now match their background-color like our buttons.
• Fixed: Silenced bad selectors in our JS plugins for the href HTML attribute to avoid JavaScript errors. Please try to use valid selectors or the data-target HTML attribute/target option where available.
• Fixed: Reverted v4.2.1's change to the breakpoint and grid container Sass maps that blocked folks from upgrading when modifying those default variables.
• Fixed: Restored white-space: nowrap to .dropdown-toggle (before v4.2.1 it was on all .btns) so carets don't wrap to new lines.
• Deprecated: img-retina, invisible, float, and size mixins are now deprecated and will be removed in v5.

Links

• Read the full ship list
• Review the project board

v4.2.1

Bump to v4.2.1 to republish package on npm. See v4.2.0 release notes for changes introduced in v4.2.

v4.2.0

Here are the highlights of what's new and updated in v4.2.

• New: Added a new spinner loading component.
• New: Added new toast component for displaying notifications.
• New: Added a new iOS style switch (a modifier class to our custom checkboxes).
• New: Added touch support in our carousel component.
• New: Added .font-weight-lighter and .font-weight-bolder utilities.
• New: Added .text-decoration-none utility class.
• New: Added .modal-xl modifier class for our modals.
• New: Added new negative margin utility classes (e.g., .mb-n3). These rad new classes not only allow you more control over your general spacing needs, but also allow you to create responsive grid gutters at each breakpoint.
• New: Validated form fields now have feedback icons on :invalid and :valid fields. Disable them with the $enable-validation-icons boolean Sass variable (defaults to true).
• New: Added a new versions page to our docs
• New: Tooltips/Popovers work with Shadow DOM
• Updated: Redesigned the custom checkboxes and radios for more obvious states.
• Updated: bootstrap-grid.css now includes our margin and padding utilities for full control of our grid system.
• Updated: Changed auto columns (e.g., .col-auto) from max-width: none to max-width: 100% to prevent content from causing a column to overflow the parent.
• Updated: Improved rendering of custom selects, ranges, file input, and more.

Checkout the full v4.2.0 ship list and GitHub project for the full details. Up next is v4.3 with some bugfixes, a few new modifier classes and variables, and some new utilities.

Head to to the v4.2.x docs to see the latest in action. The full release has been published to npm and will soon appear on the Bootstrap CDN and Rubygems.

v4.1.3

... (truncated)

Commits

• 8fa0d30 Release v4.3.1. (#28252)
• dae20da Remove unneeded glob. (#28249)
• 10b97f6 Fix npm package contents
• 7bc4d2e Add sanitize template option for tooltip/popover plugins.
• bf2515a Update RFS to v8.0.1 (#28245)
• 45ced60 Update font size (#28232)
• 1ded0d6 Release v4.3.0 (#28228)
• 3aa0770 docs snippets: a few more minor tweaks (#28225)
• adf16da toasts.md: Remove useless divs.
• 2bfe581 Remove stray parameter from capture.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[skjnldsv]

This is a LOT of changes, not sure we can get that :/
Why do we use bootstrap? The tooltip only?

[juliusknorr]

@skjnldsv Yes its the tooltip only. Bootstrap now also uses https://popper.js.org/ which is the same underlying lib as v-tooltip btw.

I pushed some fixes, looks all fine now from a quick test.

[rullzer]

We are not affected as we only use tooltip.
Lets tackle this for 17.

Maybe a more generalized approach in OCP to show a tooltip would be better anyway. So it is not dependant on what we use in the backend.

[rullzer]

Seems to still work

[rullzer]

Rebased to fix conflicts

[ChristophWurst]

Tested and still works 👍

[juliusknorr]

Seems that arrow function of the tooltip sources are not properly converted, therefore tests fail and IE doesn't work currently. I'll have a look.

[juliusknorr]

Pushed a fix to just use the dist file for tooltip which is also there. Let's see if CI is happier about that.

[juliusknorr]

Pushed another fix, runs fine locally now. Let's see: https://drone.nextcloud.com/nextcloud/server/16843/253

[faily-bot]

🤖 beep boop beep 🤖

Here are the logs for the failed build:

Status of 16843: failure

DB=mysql, ENABLE_REDIS=false, PHP=7.3

Show full log

There was 1 failure:

1) TrashbinTest::testExpireOldFiles
Failed asserting that null is identical to 'file2.txt'.

/drone/src/github.com/nextcloud/server/apps/files_trashbin/tests/TrashbinTest.php:186

--

There was 1 risky test:

1) OCA\TwoFactorBackupCodes\Tests\Db\BackupCodeMapperTest::testInsertArgonEncryptedCodes
This test did not perform any assertions

TESTS=acceptance, TESTS-ACCEPTANCE=app-files

• tests/acceptance/features/app-files.feature:41
• tests/acceptance/features/app-files.feature:126
• tests/acceptance/features/app-files.feature:133

Show full log

  Scenario: viewing a favorite file in its folder shows the correct sidebar view # /drone/src/github.com/nextcloud/server/tests/acceptance/features/app-files.feature:41
    Given I am logged in                                                         # LoginPageContext::iAmLoggedIn()
    And I create a new folder named "other"                                      # FileListContext::iCreateANewFolderNamed()
      │ Create menu button in file list could not be clicked
      │ Exception message: Element is not currently visible and so may not be interacted with
      │ Build info: version: '2.53.1', revision: 'a36b8b1', time: '2016-06-30 17:37:03'
      │ System info: host: 'fa90713f39a7', ip: '172.17.0.19', os.name: 'Linux', os.arch: 'amd64', os.version: '4.15.0-43-generic', java.version: '1.8.0_91'
      │ Driver info: driver.version: unknown
      │ Trying again
      │ 
    And I mark "other" as favorite                                               # FileListContext::iMarkAsFavorite()
    And I mark "welcome.txt" as favorite                                         # FileListContext::iMarkAsFavorite()
    And I see that "other" is marked as favorite                                 # FileListContext::iSeeThatIsMarkedAsFavorite()
    And I see that "welcome.txt" is marked as favorite                           # FileListContext::iSeeThatIsMarkedAsFavorite()
    And I open the "Favorites" section                                           # AppNavigationContext::iOpenTheSection()
    And I open the details view for "other"                                      # FileListContext::iOpenTheDetailsViewFor()
      Row for file other in file list could not be found after 100 seconds
      File actions menu button for file other in file list could not be found after 100 seconds (NoSuchElementException)
    And I see that the details view is open                                      # FilesAppContext::iSeeThatTheDetailsViewIsOpen()
    And I see that the file name shown in the details view is "other"            # FilesAppContext::iSeeThatTheFileNameShownInTheDetailsViewIs()
    When I view "welcome.txt" in folder                                          # FileListContext::iViewInFolder()
    Then I see that the current section is "All files"                           # AppNavigationContext::iSeeThatTheCurrentSectionIs()
    And I see that the details view is open                                      # FilesAppContext::iSeeThatTheDetailsViewIsOpen()
    And I see that the file name shown in the details view is "welcome.txt"      # FilesAppContext::iSeeThatTheFileNameShownInTheDetailsViewIs()
    When I open the details view for "other"                                     # FileListContext::iOpenTheDetailsViewFor()
    And I see that the file name shown in the details view is "other"            # FilesAppContext::iSeeThatTheFileNameShownInTheDetailsViewIs()

  Scenario: show deleted files                                        # /drone/src/github.com/nextcloud/server/tests/acceptance/features/app-files.feature:126
    Given I am logged in                                              # LoginPageContext::iAmLoggedIn()
    And I delete "welcome.txt"                                        # FileListContext::iDelete()
    When I open the "Deleted files" section                           # AppNavigationContext::iOpenTheSection()
    Then I see that the current section is "Deleted files"            # AppNavigationContext::iSeeThatTheCurrentSectionIs()
    Then I see that the file list contains a file named "welcome.txt" # FileListContext::iSeeThatTheFileListContainsAFileNamed()
      Row for file welcome.txt in file list could not be found after 100 seconds (NoSuchElementException)

  Scenario: show deleted files for a second time                      # /drone/src/github.com/nextcloud/server/tests/acceptance/features/app-files.feature:133
    Given I am logged in                                              # LoginPageContext::iAmLoggedIn()
    And I open the "Deleted files" section                            # AppNavigationContext::iOpenTheSection()
    And I see that the current section is "Deleted files"             # AppNavigationContext::iSeeThatTheCurrentSectionIs()
    And I open the "All files" section                                # AppNavigationContext::iOpenTheSection()
    And I see that the current section is "All files"                 # AppNavigationContext::iSeeThatTheCurrentSectionIs()
    And I delete "welcome.txt"                                        # FileListContext::iDelete()
    When I open the "Deleted files" section                           # AppNavigationContext::iOpenTheSection()
    Then I see that the current section is "Deleted files"            # AppNavigationContext::iSeeThatTheCurrentSectionIs()
    Then I see that the file list contains a file named "welcome.txt" # FileListContext::iSeeThatTheFileListContainsAFileNamed()
      Row for file welcome.txt in file list could not be found after 100 seconds (NoSuchElementException)

TESTS=acceptance, TESTS-ACCEPTANCE=app-files-tags

• tests/acceptance/features/app-files-tags.feature:11
• tests/acceptance/features/app-files-tags.feature:42

Show full log

  Scenario: show the input field for tags in the details view after closing and opening the details view again # /drone/src/github.com/nextcloud/server/tests/acceptance/features/app-files-tags.feature:11
    Given I am logged in                                                                                       # LoginPageContext::iAmLoggedIn()
    And I open the details view for "welcome.txt"                                                              # FileListContext::iOpenTheDetailsViewFor()
    And I see that the details view is open                                                                    # FilesAppContext::iSeeThatTheDetailsViewIsOpen()
    And I close the details view                                                                               # FilesAppContext::iCloseTheDetailsView()
    And I see that the details view is closed                                                                  # FilesAppContext::iSeeThatTheDetailsViewIsClosed()
    And I open the details view for "welcome.txt"                                                              # FileListContext::iOpenTheDetailsViewFor()
    And I see that the details view is open                                                                    # FilesAppContext::iSeeThatTheDetailsViewIsOpen()
    When I open the input field for tags in the details view                                                   # FilesAppContext::iOpenTheInputFieldForTagsInTheDetailsView()
    Then I see that the input field for tags in the details view is shown                                      # FilesAppContext::iSeeThatTheInputFieldForTagsInTheDetailsViewIsShown()
      Failed asserting that false is true.

  Scenario: add tags using the dropdown in the details view                                 # /drone/src/github.com/nextcloud/server/tests/acceptance/features/app-files-tags.feature:42
    Given I am logged in as the admin                                                       # LoginPageContext::iAmLoggedInAsTheAdmin()
    And I visit the settings page                                                           # SettingsMenuContext::iVisitTheSettingsPage()
    And I open the "Tag management" section                                                 # AppNavigationContext::iOpenTheSection()
    And I see that the button to select tags is shown                                       # SettingsContext::iSeeThatTheButtonToSelectTagsIsShown()
    And I create the tag "tag1" in the settings                                             # SettingsContext::iCreateTheTagInTheSettings()
    And I create the tag "tag2" in the settings                                             # SettingsContext::iCreateTheTagInTheSettings()
    And I create the tag "tag3" in the settings                                             # SettingsContext::iCreateTheTagInTheSettings()
    And I create the tag "tag4" in the settings                                             # SettingsContext::iCreateTheTagInTheSettings()
    And I see that the dropdown for tags in the settings eventually contains the tag "tag1" # SettingsContext::iSeeThatTheDropdownForTagsInTheSettingsEventuallyContainsTheTag()
    And I see that the dropdown for tags in the settings eventually contains the tag "tag2" # SettingsContext::iSeeThatTheDropdownForTagsInTheSettingsEventuallyContainsTheTag()
    And I see that the dropdown for tags in the settings eventually contains the tag "tag3" # SettingsContext::iSeeThatTheDropdownForTagsInTheSettingsEventuallyContainsTheTag()
    And I see that the dropdown for tags in the settings eventually contains the tag "tag4" # SettingsContext::iSeeThatTheDropdownForTagsInTheSettingsEventuallyContainsTheTag()
    And I log out                                                                           # SettingsMenuContext::iLogOut()
    And I am logged in                                                                      # LoginPageContext::iAmLoggedIn()
    And I open the details view for "welcome.txt"                                           # FileListContext::iOpenTheDetailsViewFor()
    And I open the input field for tags in the details view                                 # FilesAppContext::iOpenTheInputFieldForTagsInTheDetailsView()
    When I check the tag "tag2" in the dropdown for tags in the details view                # FilesAppContext::iCheckTheTagInTheDropdownForTagsInTheDetailsView()
    And I check the tag "tag4" in the dropdown for tags in the details view                 # FilesAppContext::iCheckTheTagInTheDropdownForTagsInTheDetailsView()
    Then I see that the tag "tag2" in the dropdown for tags in the details view is checked  # FilesAppContext::iSeeThatTheTagInTheDropdownForTagsInTheDetailsViewIsChecked()
    And I see that the tag "tag4" in the dropdown for tags in the details view is checked   # FilesAppContext::iSeeThatTheTagInTheDropdownForTagsInTheDetailsViewIsChecked()
    And I see that the input field for tags in the details view contains the tag "tag2"     # FilesAppContext::iSeeThatTheInputFieldForTagsInTheDetailsViewContainsTheTag()
      Failed asserting that false is true.
    And I see that the input field for tags in the details view contains the tag "tag4"     # FilesAppContext::iSeeThatTheInputFieldForTagsInTheDetailsViewContainsTheTag()

TESTS=acceptance, TESTS-ACCEPTANCE=login

• tests/acceptance/features/login.feature:9
• tests/acceptance/features/login.feature:15
• tests/acceptance/features/login.feature:26
• tests/acceptance/features/login.feature:38

Show full log

  Scenario: try to log in with valid user and invalid password # /drone/src/github.com/nextcloud/server/tests/acceptance/features/login.feature:9
    Given I visit the Home page                                # FeatureContext::iVisitTheHomePage()
    When I log in with user user0 and password 654321          # LoginPageContext::iLogInWithUserAndPassword()
    Then I see that the current page is the Login page         # LoginPageContext::iSeeThatTheCurrentPageIsTheLoginPage()
    And I see that a wrong password message is shown           # LoginPageContext::iSeeThatAWrongPasswordMessageIsShown()
      Wrong password message in Login page could not be found after 100 seconds (NoSuchElementException)

  Scenario: log in with valid user and invalid password once fixed by admin # /drone/src/github.com/nextcloud/server/tests/acceptance/features/login.feature:15
    Given I act as John                                                     # ActorContext::iActAs()
    And I can not log in with user user0 and password 654231                # LoginPageContext::iCanNotLogInWithUserAndPassword()
      Wrong password message in Login page could not be found after 100 seconds (NoSuchElementException)
    When I act as Jane                                                      # ActorContext::iActAs()
    And I am logged in as the admin                                         # LoginPageContext::iAmLoggedInAsTheAdmin()
    And I open the User settings                                            # SettingsMenuContext::iOpenTheUserSettings()
    And I set the password for user0 to 654321                              # UsersSettingsContext::iSetTheFieldForUserTo()
    And I act as John                                                       # ActorContext::iActAs()
    And I log in with user user0 and password 654321                        # LoginPageContext::iLogInWithUserAndPassword()
    Then I see that the current page is the Files app                       # FilesAppContext::iSeeThatTheCurrentPageIsTheFilesApp()

  Scenario: try to log in with invalid user                    # /drone/src/github.com/nextcloud/server/tests/acceptance/features/login.feature:26
    Given I visit the Home page                                # FeatureContext::iVisitTheHomePage()
    When I log in with user unknownUser and password 123456acb # LoginPageContext::iLogInWithUserAndPassword()
    Then I see that the current page is the Login page         # LoginPageContext::iSeeThatTheCurrentPageIsTheLoginPage()
    And I see that a wrong password message is shown           # LoginPageContext::iSeeThatAWrongPasswordMessageIsShown()
      Wrong password message in Login page could not be found after 100 seconds (NoSuchElementException)

  Scenario: log in with invalid user once fixed by admin              # /drone/src/github.com/nextcloud/server/tests/acceptance/features/login.feature:38
    Given I act as John                                               # ActorContext::iActAs()
    And I can not log in with user unknownUser and password 123456acb # LoginPageContext::iCanNotLogInWithUserAndPassword()
      Wrong password message in Login page could not be found after 100 seconds (NoSuchElementException)
    When I act as Jane                                                # ActorContext::iActAs()
    And I am logged in as the admin                                   # LoginPageContext::iAmLoggedInAsTheAdmin()
    And I open the User settings                                      # SettingsMenuContext::iOpenTheUserSettings()
    And I click the New user button                                   # UsersSettingsContext::iClickTheNewUserButton()
    And I see that the new user form is shown                         # UsersSettingsContext::iSeeThatTheNewUserFormIsShown()
    And I create user unknownUser with password 123456acb             # UsersSettingsContext::iCreateUserWithPassword()
    And I see that the list of users contains the user unknownUser    # UsersSettingsContext::iSeeThatTheListOfUsersContainsTheUser()
    And I act as John                                                 # ActorContext::iActAs()
    And I log in with user unknownUser and password 123456acb         # LoginPageContext::iLogInWithUserAndPassword()

[ChristophWurst]

🙈 on the DOMParser stuff

👍 on the rest

[rullzer]

CI happy. I'm happy.