XSS possible in data-target property of scrollspy

[1Jesper1]

XSS possible in scrollspy data-target attribute
data-target="<img src=1 onerror=alert(123) />"
Bootstrap 4.1.1 in combination with JQuery 3.3.1

[Johann-S]

Bug reports must include a live demo of the problem. Per our contributing guidelines, please create a reduced test case via CodePen or JS Bin and report back with your link, Bootstrap version, and specific browser and OS details.

[1Jesper1]

https://jsbin.com/toxogipewo/edit?html,output

Browser: Chrome Version 66.0.3359.181 64x
OS: Windows 10 64x

[anarcat]

during some tests in the Debian LTS security team, it was determined that Bootstrap 2.0.2, 3.2.0 and 3.3.7 are not affected by this issue.