actiontext 7.2.0.beta1 → 7.2.0.beta3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d497d50205633b66005bfcfe850ee8d5404c0b3b9f953a14356bb912c8b3b4d5
-  data.tar.gz: '099e3d4dca02f13983f06b8ffcf6c49a1bb2f3cb66ae94e8534c0764f8b56700'
+  metadata.gz: 65724c998d6b019bb85d677b268775d32c2186626222f56a3020f832adb8927f
+  data.tar.gz: 365d4797f49ba681aefd35e8326e88b1aa1a06b1d8809c1f7d52baa7a8fd8708
 SHA512:
-  metadata.gz: e9acfe56af6ec22cf0448fc42c7dc3cba769bbbce316efa926869ac083db8491a547366ae5beede3da8a02b75c1cbb6f7a8e252c0519fbd7c282af841835a644
-  data.tar.gz: 9beaaede36bf8158e2fee2e6d5f2fb02dbaabeb86a279ee7ca0e9ef87b5cc710d3ea454ae3e8723235eb8b2d2bc2586e540f89623c2609fd3620207e2785c042
+  metadata.gz: 19644ed4010376665015b5ac97079d66e23f520be347f5e763b78b24633b8be564f26ab5a99443467d6996c20933791be5c433d8bcce13e75182433f47b26057
+  data.tar.gz: fd5ad4003f16c44430f2bf320f1b2dc666a063d3e6fd7bba2e81be7b9c672988260f1de1a2a03ee3a0b55ed024a67e4353d53d067dfb4f703dcfc1dd3ec3fdf4

data/CHANGELOG.md

@@ -1,3 +1,18 @@
+## Rails 7.2.0.beta3 (July 11, 2024) ##
+
+*   Only sanitize `content` attribute when present in attachments.
+
+    *Petrik de Heus*
+
+
+## Rails 7.2.0.beta2 (June 04, 2024) ##
+
+*   Sanitize ActionText HTML ContentAttachment in Trix edit view
+    [CVE-2024-32464]
+
+    *Aaron Patterson*, *Zack Deveau*
+
+
 ## Rails 7.2.0.beta1 (May 29, 2024) ##
 
 *   Use `includes` instead of `eager_load` for `with_all_rich_text`.

data/app/assets/javascripts/actiontext.esm.js

@@ -771,9 +771,9 @@ function start() {
 }
 
 function didClick(event) {
-  const {target: target} = event;
-  if ((target.tagName == "INPUT" || target.tagName == "BUTTON") && target.type == "submit" && target.form) {
-    submitButtonsByForm.set(target.form, target);
+  const button = event.target.closest("button, input");
+  if (button && button.type === "submit" && button.form) {
+    submitButtonsByForm.set(button.form, button);
   }
 }
 

data/app/assets/javascripts/actiontext.js

@@ -753,9 +753,9 @@
     }
   }
   function didClick(event) {
-    const {target: target} = event;
-    if ((target.tagName == "INPUT" || target.tagName == "BUTTON") && target.type == "submit" && target.form) {
-      submitButtonsByForm.set(target.form, target);
+    const button = event.target.closest("button, input");
+    if (button && button.type === "submit" && button.form) {
+      submitButtonsByForm.set(button.form, button);
     }
   }
   function didSubmitForm(event) {

data/app/helpers/action_text/content_helper.rb

@@ -16,6 +16,15 @@ module ActionText
       sanitize_action_text_content(render_action_text_attachments(content))
     end
 
+    def sanitize_content_attachment(content_attachment)
+      sanitizer.sanitize(
+        content_attachment,
+        tags: sanitizer_allowed_tags,
+        attributes: sanitizer_allowed_attributes,
+        scrubber: scrubber,
+      )
+    end
+
     def sanitize_action_text_content(content)
       sanitizer.sanitize(
         content.to_html,

data/lib/action_text/content.rb

@@ -22,7 +22,7 @@ module ActionText
   #     body.to_s # => "<h1>Funny times!</h1>"
   #     body.to_plain_text # => "Funny times!"
   class Content
-    include Rendering, Serialization
+    include Rendering, Serialization, ContentHelper
 
     attr_reader :fragment
 
@@ -97,6 +97,9 @@ module ActionText
 
     def render_attachments(**options, &block)
       content = fragment.replace(ActionText::Attachment.tag_name) do |node|
+        if node.key? "content"
+          node["content"] = sanitize_content_attachment(node["content"])
+        end
         block.call(attachment_for_node(node, **options))
       end
       self.class.new(content, canonicalize: false)

data/lib/action_text/gem_version.rb

@@ -12,7 +12,7 @@ module ActionText
     MAJOR = 7
     MINOR = 2
     TINY  = 0
-    PRE   = "beta1"
+    PRE   = "beta3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "7.2.0-beta1",
+  "version": "7.2.0-beta3",
   "description": "Edit and display rich text in Rails applications",
   "module": "app/assets/javascripts/actiontext.esm.js",
   "main": "app/assets/javascripts/actiontext.js",
@@ -22,7 +22,7 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@rails/activestorage": ">= 7.1.0-alpha"
+    "@rails/activestorage": ">= 7.2.0-alpha"
   },
   "peerDependencies": {
     "trix": "^2.0.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actiontext
 version: !ruby/object:Gem::Version
-  version: 7.2.0.beta1
+  version: 7.2.0.beta3
 platform: ruby
 authors:
 - Javan Makhmali
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-29 00:00:00.000000000 Z
+date: 2024-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -18,56 +18,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
 - !ruby/object:Gem::Dependency
   name: activestorage
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta3
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -163,10 +163,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.2.0.beta1/actiontext/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.2.0.beta1/
+  changelog_uri: https://github.com/rails/rails/blob/v7.2.0.beta3/actiontext/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.2.0.beta3/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.2.0.beta1/actiontext
+  source_code_uri: https://github.com/rails/rails/tree/v7.2.0.beta3/actiontext
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -183,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.10
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: Rich text framework.