In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/