I am not sure how an XSS vulnerability is considered a stretch. Perhaps the likelihood of it is low. Is that what you meant?
That still doesn't address the overall point, which is that Bootstrap 3 is no longer maintained, according to its project Owner, and this or any future vulnerabilities may or may not be patched. That seems like a significant risk to me.
It's not an XSS vulnerability in Bootstrap for the same reasons
<div class="row"> UNESCAPED USER INPUT </div>
or
<img src="UNESCAPED USER INPUT">
aren't - escaping user input is up to the developer, not Bootstrap. Being essentially a static HTML/CSS framework with a bit of well-tested optional JS, Bootstrap's attack surface is minimal, making future vulnerabilities a pretty unlikely situation. A quick perusal of Github's issues search for "security" finds nothing significant in the past.
I will echo this person:
"This was found in an application where data-target was based on user input and only passed through standard HTML entities encoding. There is no reason why data-target should interpret HTML so while not impacting many applications it should be fixed in my opinion."
Echoing a wrong statement doesn't make it any less wrong.
If you don't want XSS, don't echo untrusted raw user input to the browser. Not in the title tag, not in a paragraph body, not in a data attribute. It's on you, or your application framework. Expecting Bootstrap to combat it is insane.
