actiontext 7.1.3.3 → 7.1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c64b902311d318e3166ecc33e11d36f3b489b173941df779cac70e5523037e9
-  data.tar.gz: 262303fcd96805d2739cff5ace1eddeb35daa5d2205677cf18ab858abbd3b9b2
+  metadata.gz: d51a41ff03b550ac428a52ce89ee785539d2ac0b386c5597f4c06b763070d054
+  data.tar.gz: 85028cdc38e4448c321e17190924c602f7bd940588307ef42206c7e0842ba31a
 SHA512:
-  metadata.gz: '0192e5197f027ad24a0acb6a79deef6f380ad816de72058d5cac1804e8bd25a7bdeaf898479fd1080ddcc15cbe4e1fd35da2af292ba681a2683f9bc60aa983e7'
-  data.tar.gz: 2045ea65d4bfc311886aa9b53f0cae50a1c8921d64cf8437ccf7e99ca53a1decb10e50b210507b744417af1aa29b184ed7b7103e046f319af57e7114db49a92c
+  metadata.gz: 417dec3ad3e197b566e52b5b42356481d6a5f54e1a792b5f16c7eeaa45137b2a4bdeeb32e83fd890d884fc60864e7d6062ebe25115710a40de06df3c93812c95
+  data.tar.gz: ab1691bf97b79a8f2b644b6bf324c06fc663fd8ca2ba4641a906fcf7062a4c4acb4103b25b405561fc21e81198ce7b7541a9d02921d137ae14de6eb75d01b1c7

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## Rails 7.1.3.4 (June 04, 2024) ##
+
+*   Sanitize ActionText HTML ContentAttachment in Trix edit view
+    [CVE-2024-32464]
+
+
 ## Rails 7.1.3.3 (May 16, 2024) ##
 
 *   Upgrade Trix to 1.3.2 to fix [CVE-2024-34341](https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99).

data/app/helpers/action_text/content_helper.rb

@@ -14,6 +14,15 @@ module ActionText
       sanitize_action_text_content(render_action_text_attachments(content))
     end
 
+    def sanitize_content_attachment(content_attachment)
+      sanitizer.sanitize(
+        content_attachment,
+        tags: sanitizer_allowed_tags,
+        attributes: sanitizer_allowed_attributes,
+        scrubber: scrubber,
+      )
+    end
+
     def sanitize_action_text_content(content)
       sanitizer.sanitize(
         content.to_html,

data/lib/action_text/content.rb

@@ -20,7 +20,7 @@ module ActionText
   #   body.to_s # => "<h1>Funny times!</h1>"
   #   body.to_plain_text # => "Funny times!"
   class Content
-    include Rendering, Serialization
+    include Rendering, Serialization, ContentHelper
 
     attr_reader :fragment
 
@@ -94,6 +94,7 @@ module ActionText
 
     def render_attachments(**options, &block)
       content = fragment.replace(ActionText::Attachment.tag_name) do |node|
+        node["content"] = sanitize_content_attachment(node["content"])
         block.call(attachment_for_node(node, **options))
       end
       self.class.new(content, canonicalize: false)

data/lib/action_text/gem_version.rb

@@ -10,7 +10,7 @@ module ActionText
     MAJOR = 7
     MINOR = 1
     TINY  = 3
-    PRE   = "3"
+    PRE   = "4"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "7.1.3-3",
+  "version": "7.1.3-4",
   "description": "Edit and display rich text in Rails applications",
   "module": "app/assets/javascripts/actiontext.esm.js",
   "main": "app/assets/javascripts/actiontext.js",

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actiontext
 version: !ruby/object:Gem::Version
-  version: 7.1.3.3
+  version: 7.1.3.4
 platform: ruby
 authors:
 - Javan Makhmali
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-16 00:00:00.000000000 Z
+date: 2024-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -18,56 +18,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
 - !ruby/object:Gem::Dependency
   name: activestorage
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.3
+        version: 7.1.3.4
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -163,10 +163,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.3.3/actiontext/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.3.3/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.3.4/actiontext/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.3.4/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.3.3/actiontext
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.3.4/actiontext
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -183,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.10
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Rich text framework.