In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
github.com/twbs/bootstrap/issues/26423