CVE-2016-10735 PoC

Original MITRE Description: In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. (01/09/2019)

Steps to reproduce:

1. Include vulnerable boostrap js and jquery dependency (see this page's source).
2. Createa a button with data-toggle="modal" and data-target attributes.
3. Put HTML Encoded XSS payload into the data-target attribute value: <script> alert("XSS")</script>
4. Open it in browser and click the button.
5. (Alternatively: Click the button below and inspect the source code between <!-- ACTUAL PoC CODE START --> and <!-- ACTUAL PoC CODE END --> to see the PoC in action.)

Demo: Test CVE-2016-10735

Me: @DusekDan

References:

1. NVD Record
2. (Commit d9be1da) Fix for v3
3. (Commit 9612830) Unit Test for v4