actiontext 7.1.3.3 → 7.1.3.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actiontext might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/app/helpers/action_text/content_helper.rb +9 -0
  4. data/lib/action_text/content.rb +2 -1
  5. data/lib/action_text/gem_version.rb +1 -1
  6. data/package.json +1 -1
  7. metadata +14 -14
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2c64b902311d318e3166ecc33e11d36f3b489b173941df779cac70e5523037e9
4
- data.tar.gz: 262303fcd96805d2739cff5ace1eddeb35daa5d2205677cf18ab858abbd3b9b2
3
+ metadata.gz: d51a41ff03b550ac428a52ce89ee785539d2ac0b386c5597f4c06b763070d054
4
+ data.tar.gz: 85028cdc38e4448c321e17190924c602f7bd940588307ef42206c7e0842ba31a
5
5
  SHA512:
6
- metadata.gz: '0192e5197f027ad24a0acb6a79deef6f380ad816de72058d5cac1804e8bd25a7bdeaf898479fd1080ddcc15cbe4e1fd35da2af292ba681a2683f9bc60aa983e7'
7
- data.tar.gz: 2045ea65d4bfc311886aa9b53f0cae50a1c8921d64cf8437ccf7e99ca53a1decb10e50b210507b744417af1aa29b184ed7b7103e046f319af57e7114db49a92c
6
+ metadata.gz: 417dec3ad3e197b566e52b5b42356481d6a5f54e1a792b5f16c7eeaa45137b2a4bdeeb32e83fd890d884fc60864e7d6062ebe25115710a40de06df3c93812c95
7
+ data.tar.gz: ab1691bf97b79a8f2b644b6bf324c06fc663fd8ca2ba4641a906fcf7062a4c4acb4103b25b405561fc21e81198ce7b7541a9d02921d137ae14de6eb75d01b1c7
data/CHANGELOG.md CHANGED
@@ -1,3 +1,9 @@
1
+ ## Rails 7.1.3.4 (June 04, 2024) ##
2
+
3
+ * Sanitize ActionText HTML ContentAttachment in Trix edit view
4
+ [CVE-2024-32464]
5
+
6
+
1
7
  ## Rails 7.1.3.3 (May 16, 2024) ##
2
8
 
3
9
  * Upgrade Trix to 1.3.2 to fix [CVE-2024-34341](https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99).
data/app/helpers/action_text/content_helper.rb CHANGED
@@ -14,6 +14,15 @@ module ActionText
14
14
  sanitize_action_text_content(render_action_text_attachments(content))
15
15
  end
16
16
 
17
+ def sanitize_content_attachment(content_attachment)
18
+ sanitizer.sanitize(
19
+ content_attachment,
20
+ tags: sanitizer_allowed_tags,
21
+ attributes: sanitizer_allowed_attributes,
22
+ scrubber: scrubber,
23
+ )
24
+ end
25
+
17
26
  def sanitize_action_text_content(content)
18
27
  sanitizer.sanitize(
19
28
  content.to_html,
data/lib/action_text/content.rb CHANGED
@@ -20,7 +20,7 @@ module ActionText
20
20
  # body.to_s # => "<h1>Funny times!</h1>"
21
21
  # body.to_plain_text # => "Funny times!"
22
22
  class Content
23
- include Rendering, Serialization
23
+ include Rendering, Serialization, ContentHelper
24
24
 
25
25
  attr_reader :fragment
26
26
 
@@ -94,6 +94,7 @@ module ActionText
94
94
 
95
95
  def render_attachments(**options, &block)
96
96
  content = fragment.replace(ActionText::Attachment.tag_name) do |node|
97
+ node["content"] = sanitize_content_attachment(node["content"])
97
98
  block.call(attachment_for_node(node, **options))
98
99
  end
99
100
  self.class.new(content, canonicalize: false)
data/lib/action_text/gem_version.rb CHANGED
@@ -10,7 +10,7 @@ module ActionText
10
10
  MAJOR = 7
11
11
  MINOR = 1
12
12
  TINY = 3
13
- PRE = "3"
13
+ PRE = "4"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
data/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rails/actiontext",
3
- "version": "7.1.3-3",
3
+ "version": "7.1.3-4",
4
4
  "description": "Edit and display rich text in Rails applications",
5
5
  "module": "app/assets/javascripts/actiontext.esm.js",
6
6
  "main": "app/assets/javascripts/actiontext.js",
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actiontext
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.1.3.3
4
+ version: 7.1.3.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Javan Makhmali
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2024-05-16 00:00:00.000000000 Z
13
+ date: 2024-06-04 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: activesupport
@@ -18,56 +18,56 @@ dependencies:
18
18
  requirements:
19
19
  - - '='
20
20
  - !ruby/object:Gem::Version
21
- version: 7.1.3.3
21
+ version: 7.1.3.4
22
22
  type: :runtime
23
23
  prerelease: false
24
24
  version_requirements: !ruby/object:Gem::Requirement
25
25
  requirements:
26
26
  - - '='
27
27
  - !ruby/object:Gem::Version
28
- version: 7.1.3.3
28
+ version: 7.1.3.4
29
29
  - !ruby/object:Gem::Dependency
30
30
  name: activerecord
31
31
  requirement: !ruby/object:Gem::Requirement
32
32
  requirements:
33
33
  - - '='
34
34
  - !ruby/object:Gem::Version
35
- version: 7.1.3.3
35
+ version: 7.1.3.4
36
36
  type: :runtime
37
37
  prerelease: false
38
38
  version_requirements: !ruby/object:Gem::Requirement
39
39
  requirements:
40
40
  - - '='
41
41
  - !ruby/object:Gem::Version
42
- version: 7.1.3.3
42
+ version: 7.1.3.4
43
43
  - !ruby/object:Gem::Dependency
44
44
  name: activestorage
45
45
  requirement: !ruby/object:Gem::Requirement
46
46
  requirements:
47
47
  - - '='
48
48
  - !ruby/object:Gem::Version
49
- version: 7.1.3.3
49
+ version: 7.1.3.4
50
50
  type: :runtime
51
51
  prerelease: false
52
52
  version_requirements: !ruby/object:Gem::Requirement
53
53
  requirements:
54
54
  - - '='
55
55
  - !ruby/object:Gem::Version
56
- version: 7.1.3.3
56
+ version: 7.1.3.4
57
57
  - !ruby/object:Gem::Dependency
58
58
  name: actionpack
59
59
  requirement: !ruby/object:Gem::Requirement
60
60
  requirements:
61
61
  - - '='
62
62
  - !ruby/object:Gem::Version
63
- version: 7.1.3.3
63
+ version: 7.1.3.4
64
64
  type: :runtime
65
65
  prerelease: false
66
66
  version_requirements: !ruby/object:Gem::Requirement
67
67
  requirements:
68
68
  - - '='
69
69
  - !ruby/object:Gem::Version
70
- version: 7.1.3.3
70
+ version: 7.1.3.4
71
71
  - !ruby/object:Gem::Dependency
72
72
  name: nokogiri
73
73
  requirement: !ruby/object:Gem::Requirement
@@ -163,10 +163,10 @@ licenses:
163
163
  - MIT
164
164
  metadata:
165
165
  bug_tracker_uri: https://github.com/rails/rails/issues
166
- changelog_uri: https://github.com/rails/rails/blob/v7.1.3.3/actiontext/CHANGELOG.md
167
- documentation_uri: https://api.rubyonrails.org/v7.1.3.3/
166
+ changelog_uri: https://github.com/rails/rails/blob/v7.1.3.4/actiontext/CHANGELOG.md
167
+ documentation_uri: https://api.rubyonrails.org/v7.1.3.4/
168
168
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
169
- source_code_uri: https://github.com/rails/rails/tree/v7.1.3.3/actiontext
169
+ source_code_uri: https://github.com/rails/rails/tree/v7.1.3.4/actiontext
170
170
  rubygems_mfa_required: 'true'
171
171
  post_install_message:
172
172
  rdoc_options: []
@@ -183,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
183
183
  - !ruby/object:Gem::Version
184
184
  version: '0'
185
185
  requirements: []
186
- rubygems_version: 3.5.10
186
+ rubygems_version: 3.3.27
187
187
  signing_key:
188
188
  specification_version: 4
189
189
  summary: Rich text framework.