From 247eae5cec8f5527819ad90c8020c8d8d2fd1b1c Mon Sep 17 00:00:00 2001
From: npt-1707 <npthanh132@gmail.com>
Date: Mon, 4 May 2026 07:12:16 +0800
Subject: [PATCH] app/public/libs/bootstrap/js/bootstrap.js: Fix XSS

---
 app/public/libs/bootstrap/js/bootstrap.js | 27 ++++++++++++++++-------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/app/public/libs/bootstrap/js/bootstrap.js b/app/public/libs/bootstrap/js/bootstrap.js
index 87fa5b4e..db2ef221 100644
--- a/app/public/libs/bootstrap/js/bootstrap.js
+++ b/app/public/libs/bootstrap/js/bootstrap.js
@@ -98,7 +98,8 @@
       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') //strip for ie7
     }
 
-    $parent = $(selector)
+    selector = selector === '#' ? [] : selector
+    var $parent = $(document).find(selector)
 
     e && e.preventDefault()
 
@@ -439,10 +440,17 @@
    * ================= */
 
   $(document).on('click.carousel.data-api', '[data-slide], [data-slide-to]', function (e) {
-    var $this = $(this), href
-      , $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) //strip for ie7
-      , options = $.extend({}, $target.data(), $this.data())
-      , slideIndex
+    var $this = $(this)
+    var href    = $this.attr('href')
+    if (href) {
+      href = href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+    }
+
+    var target  = $this.attr('data-target') || href
+    var $target = $(document).find(target)
+
+    var options = $.extend({}, $target.data(), $this.data())
+    var slideIndex
 
     $target.carousel(options)
 
@@ -725,7 +733,7 @@
       selector = selector && /#/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') //strip for ie7
     }
 
-    $parent = selector && $(selector)
+    var $parent = selector && $(document).find(selector)
 
     if (!$parent || !$parent.length) $parent = $this.parent()
 
@@ -990,8 +998,11 @@
   $(document).on('click.modal.data-api', '[data-toggle="modal"]', function (e) {
     var $this = $(this)
       , href = $this.attr('href')
-      , $target = $($this.attr('data-target') || (href && href.replace(/.*(?=#[^\s]+$)/, ''))) //strip for ie7
-      , option = $target.data('modal') ? 'toggle' : $.extend({ remote: !/#/.test(href) && href }, $target.data(), $this.data())
+      var target  = $this.attr('data-target') ||
+      (href && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+
+    var $target = $(document).find(target)
+    var option = $target.data('modal') ? 'toggle' : $.extend({ remote: !/#/.test(href) && href }, $target.data(), $this.data())
 
     e.preventDefault()