actionview 6.1.7.1 → 6.1.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +12 -0
  3. data/lib/action_view/gem_version.rb +1 -1
  4. data/lib/assets/compiled/rails-ujs.js +36 -5
  5. metadata +11 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f91caf0c3c900f6272f88a204aa46f4af927c8cf1547aea4162f166252b75c37
4
- data.tar.gz: e306577e5bf3bb4ee01f6c467f2c2aac6bfe547fbf982051fb8b0c0fb2eb314a
3
+ metadata.gz: 978c1f3e62241eeb02e4613dbaa86317517fd540f0d6cd24a61725214e6a27d3
4
+ data.tar.gz: f97bb9a4191c7202164970cf2c0019dba3ee8b3173c57c0242419a3b32cd260c
5
5
  SHA512:
6
- metadata.gz: 7fed80a845b3909ee328404415c2b50b783b129dfefa84912841b56ebfadec701594433bcb20b8911ae8e51ce13fc1a30a92e991f1220a59a1bf7a0dba0607ba
7
- data.tar.gz: fd5db5a70516983533d56e65033588c9db897e8b59df818f05f9c25d01f15e16b5f916a8547bdf780dd4e2566133c079fceb2ad8e1ab32a788d48b3183039e7a
6
+ metadata.gz: 8bf45fd0eee54a74b1a330d89331005cfb4891b4d41163de5a69fd092d57c040cd27f3ef8bd55efe73812198dff3ed867fcb5a2b8df6a78752061daf7436337a
7
+ data.tar.gz: 99f0b954470431b96da223d1d6878d7b50febadf6fcd13048bbf0ed44e0669a7be548d3c61adfd575e8b9c207bfb3763d533cb804eb0e54bebf5d97d9f855e25
data/CHANGELOG.md CHANGED
@@ -1,3 +1,15 @@
1
+ ## Rails 6.1.7.3 (March 13, 2023) ##
2
+
3
+ * Ignore certain data-* attributes in rails-ujs when element is contenteditable
4
+
5
+ [CVE-2023-23913]
6
+
7
+
8
+ ## Rails 6.1.7.2 (January 24, 2023) ##
9
+
10
+ * No changes.
11
+
12
+
1
13
  ## Rails 6.1.7.1 (January 17, 2023) ##
2
14
 
3
15
  * No changes.
data/lib/action_view/gem_version.rb CHANGED
@@ -10,7 +10,7 @@ module ActionView
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
12
  TINY = 7
13
- PRE = "1"
13
+ PRE = "3"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
data/lib/assets/compiled/rails-ujs.js CHANGED
@@ -73,6 +73,22 @@ Released under the MIT license
73
73
  return element[expando][key] = value;
74
74
  };
75
75
 
76
+ Rails.isContentEditable = function(element) {
77
+ var isEditable;
78
+ isEditable = false;
79
+ while (true) {
80
+ if (element.isContentEditable) {
81
+ isEditable = true;
82
+ break;
83
+ }
84
+ element = element.parentElement;
85
+ if (!element) {
86
+ break;
87
+ }
88
+ }
89
+ return isEditable;
90
+ };
91
+
76
92
  Rails.$ = function(selector) {
77
93
  return Array.prototype.slice.call(document.querySelectorAll(selector));
78
94
  };
@@ -395,9 +411,9 @@ Released under the MIT license
395
411
 
396
412
  }).call(this);
397
413
  (function() {
398
- var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
414
+ var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
399
415
 
400
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
416
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
401
417
 
402
418
  Rails.handleDisabledElement = function(e) {
403
419
  var element;
@@ -417,6 +433,9 @@ Released under the MIT license
417
433
  } else {
418
434
  element = e;
419
435
  }
436
+ if (isContentEditable(element)) {
437
+ return;
438
+ }
420
439
  if (matches(element, Rails.linkDisableSelector)) {
421
440
  return enableLinkElement(element);
422
441
  } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -429,6 +448,9 @@ Released under the MIT license
429
448
  Rails.disableElement = function(e) {
430
449
  var element;
431
450
  element = e instanceof Event ? e.target : e;
451
+ if (isContentEditable(element)) {
452
+ return;
453
+ }
432
454
  if (matches(element, Rails.linkDisableSelector)) {
433
455
  return disableLinkElement(element);
434
456
  } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -513,10 +535,12 @@ Released under the MIT license
513
535
 
514
536
  }).call(this);
515
537
  (function() {
516
- var stopEverything;
538
+ var isContentEditable, stopEverything;
517
539
 
518
540
  stopEverything = Rails.stopEverything;
519
541
 
542
+ isContentEditable = Rails.isContentEditable;
543
+
520
544
  Rails.handleMethod = function(e) {
521
545
  var csrfParam, csrfToken, form, formContent, href, link, method;
522
546
  link = this;
@@ -524,6 +548,9 @@ Released under the MIT license
524
548
  if (!method) {
525
549
  return;
526
550
  }
551
+ if (isContentEditable(this)) {
552
+ return;
553
+ }
527
554
  href = Rails.href(link);
528
555
  csrfToken = Rails.csrfToken();
529
556
  csrfParam = Rails.csrfParam();
@@ -545,10 +572,10 @@ Released under the MIT license
545
572
 
546
573
  }).call(this);
547
574
  (function() {
548
- var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
575
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
549
576
  slice = [].slice;
550
577
 
551
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
578
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
552
579
 
553
580
  isRemote = function(element) {
554
581
  var value;
@@ -566,6 +593,10 @@ Released under the MIT license
566
593
  fire(element, 'ajax:stopped');
567
594
  return false;
568
595
  }
596
+ if (isContentEditable(element)) {
597
+ fire(element, 'ajax:stopped');
598
+ return false;
599
+ }
569
600
  withCredentials = element.getAttribute('data-with-credentials');
570
601
  dataType = element.getAttribute('data-type') || 'script';
571
602
  if (matches(element, Rails.formSubmitSelector)) {
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionview
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.7.1
4
+ version: 6.1.7.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-01-17 00:00:00.000000000 Z
11
+ date: 2023-03-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.7.1
19
+ version: 6.1.7.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.7.1
26
+ version: 6.1.7.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: builder
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 6.1.7.1
95
+ version: 6.1.7.3
96
96
  type: :development
97
97
  prerelease: false
98
98
  version_requirements: !ruby/object:Gem::Requirement
99
99
  requirements:
100
100
  - - '='
101
101
  - !ruby/object:Gem::Version
102
- version: 6.1.7.1
102
+ version: 6.1.7.3
103
103
  - !ruby/object:Gem::Dependency
104
104
  name: activemodel
105
105
  requirement: !ruby/object:Gem::Requirement
106
106
  requirements:
107
107
  - - '='
108
108
  - !ruby/object:Gem::Version
109
- version: 6.1.7.1
109
+ version: 6.1.7.3
110
110
  type: :development
111
111
  prerelease: false
112
112
  version_requirements: !ruby/object:Gem::Requirement
113
113
  requirements:
114
114
  - - '='
115
115
  - !ruby/object:Gem::Version
116
- version: 6.1.7.1
116
+ version: 6.1.7.3
117
117
  description: Simple, battle-tested conventions and helpers for building web pages.
118
118
  email: david@loudthinking.com
119
119
  executables: []
@@ -239,10 +239,10 @@ licenses:
239
239
  - MIT
240
240
  metadata:
241
241
  bug_tracker_uri: https://github.com/rails/rails/issues
242
- changelog_uri: https://github.com/rails/rails/blob/v6.1.7.1/actionview/CHANGELOG.md
243
- documentation_uri: https://api.rubyonrails.org/v6.1.7.1/
242
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.7.3/actionview/CHANGELOG.md
243
+ documentation_uri: https://api.rubyonrails.org/v6.1.7.3/
244
244
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
245
- source_code_uri: https://github.com/rails/rails/tree/v6.1.7.1/actionview
245
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.7.3/actionview
246
246
  rubygems_mfa_required: 'true'
247
247
  post_install_message:
248
248
  rdoc_options: []