actiontext 7.2.0.beta1 → 7.2.0.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d497d50205633b66005bfcfe850ee8d5404c0b3b9f953a14356bb912c8b3b4d5
-  data.tar.gz: '099e3d4dca02f13983f06b8ffcf6c49a1bb2f3cb66ae94e8534c0764f8b56700'
+  metadata.gz: '038e42b13d583f9db670ee6dc104ef802f4c9c77920037b38a95fb28e9a625b4'
+  data.tar.gz: 31ee1edbf17eebb4ff96b83a4af0a296d80ea55244c5301e940f939ecaee4921
 SHA512:
-  metadata.gz: e9acfe56af6ec22cf0448fc42c7dc3cba769bbbce316efa926869ac083db8491a547366ae5beede3da8a02b75c1cbb6f7a8e252c0519fbd7c282af841835a644
-  data.tar.gz: 9beaaede36bf8158e2fee2e6d5f2fb02dbaabeb86a279ee7ca0e9ef87b5cc710d3ea454ae3e8723235eb8b2d2bc2586e540f89623c2609fd3620207e2785c042
+  metadata.gz: d8b926161af97aa1f62f17f6c775b045184af218452fb38243f0ca58713af6b313a51d6015651c8c9199ea148bf0ba80a825d0fb2e4cb9c17b1edc863efb6dc1
+  data.tar.gz: 2be0ecf3329ce40edf0e365082efb993c053a6d359877bc75ea9b953d569ed85730def05e950f03ffb644375004c4795067838a3240d4b6bfd102e622288c958

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## Rails 7.2.0.beta2 (June 04, 2024) ##
+
+*   Sanitize ActionText HTML ContentAttachment in Trix edit view
+    [CVE-2024-32464]
+
+
 ## Rails 7.2.0.beta1 (May 29, 2024) ##
 
 *   Use `includes` instead of `eager_load` for `with_all_rich_text`.

data/app/assets/javascripts/actiontext.esm.js

@@ -771,9 +771,9 @@ function start() {
 }
 
 function didClick(event) {
-  const {target: target} = event;
-  if ((target.tagName == "INPUT" || target.tagName == "BUTTON") && target.type == "submit" && target.form) {
-    submitButtonsByForm.set(target.form, target);
+  const button = event.target.closest("button, input");
+  if (button && button.type === "submit" && button.form) {
+    submitButtonsByForm.set(button.form, button);
   }
 }
 

data/app/assets/javascripts/actiontext.js

@@ -753,9 +753,9 @@
     }
   }
   function didClick(event) {
-    const {target: target} = event;
-    if ((target.tagName == "INPUT" || target.tagName == "BUTTON") && target.type == "submit" && target.form) {
-      submitButtonsByForm.set(target.form, target);
+    const button = event.target.closest("button, input");
+    if (button && button.type === "submit" && button.form) {
+      submitButtonsByForm.set(button.form, button);
     }
   }
   function didSubmitForm(event) {

data/app/helpers/action_text/content_helper.rb

@@ -16,6 +16,15 @@ module ActionText
       sanitize_action_text_content(render_action_text_attachments(content))
     end
 
+    def sanitize_content_attachment(content_attachment)
+      sanitizer.sanitize(
+        content_attachment,
+        tags: sanitizer_allowed_tags,
+        attributes: sanitizer_allowed_attributes,
+        scrubber: scrubber,
+      )
+    end
+
     def sanitize_action_text_content(content)
       sanitizer.sanitize(
         content.to_html,

data/lib/action_text/content.rb

@@ -22,7 +22,7 @@ module ActionText
   #     body.to_s # => "<h1>Funny times!</h1>"
   #     body.to_plain_text # => "Funny times!"
   class Content
-    include Rendering, Serialization
+    include Rendering, Serialization, ContentHelper
 
     attr_reader :fragment
 
@@ -97,6 +97,7 @@ module ActionText
 
     def render_attachments(**options, &block)
       content = fragment.replace(ActionText::Attachment.tag_name) do |node|
+        node["content"] = sanitize_content_attachment(node["content"])
         block.call(attachment_for_node(node, **options))
       end
       self.class.new(content, canonicalize: false)

data/lib/action_text/gem_version.rb

@@ -12,7 +12,7 @@ module ActionText
     MAJOR = 7
     MINOR = 2
     TINY  = 0
-    PRE   = "beta1"
+    PRE   = "beta2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "7.2.0-beta1",
+  "version": "7.2.0-beta2",
   "description": "Edit and display rich text in Rails applications",
   "module": "app/assets/javascripts/actiontext.esm.js",
   "main": "app/assets/javascripts/actiontext.js",
@@ -22,7 +22,7 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@rails/activestorage": ">= 7.1.0-alpha"
+    "@rails/activestorage": ">= 7.2.0-alpha"
   },
   "peerDependencies": {
     "trix": "^2.0.0"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actiontext
 version: !ruby/object:Gem::Version
-  version: 7.2.0.beta1
+  version: 7.2.0.beta2
 platform: ruby
 authors:
 - Javan Makhmali
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-29 00:00:00.000000000 Z
+date: 2024-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -18,56 +18,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
 - !ruby/object:Gem::Dependency
   name: activestorage
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.0.beta1
+        version: 7.2.0.beta2
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -163,10 +163,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.2.0.beta1/actiontext/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.2.0.beta1/
+  changelog_uri: https://github.com/rails/rails/blob/v7.2.0.beta2/actiontext/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.2.0.beta2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.2.0.beta1/actiontext
+  source_code_uri: https://github.com/rails/rails/tree/v7.2.0.beta2/actiontext
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -179,11 +179,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.5.10
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Rich text framework.