actionview 6.1.7.2 → 6.1.7.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -0
  3. data/lib/action_view/gem_version.rb +1 -1
  4. data/lib/assets/compiled/rails-ujs.js +36 -5
  5. metadata +11 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: af22af09202888663076683fcede2d6ff78cc16a5b53f046e9b14031dedd8832
4
- data.tar.gz: 489ff31631f8e0a5e7f33814602ce9583489b5b89f2215a1d69558aa359807fa
3
+ metadata.gz: 978c1f3e62241eeb02e4613dbaa86317517fd540f0d6cd24a61725214e6a27d3
4
+ data.tar.gz: f97bb9a4191c7202164970cf2c0019dba3ee8b3173c57c0242419a3b32cd260c
5
5
  SHA512:
6
- metadata.gz: 6c47f081dc4eea3b451febb506c4173cba87e81ef87519bd6b98311327a49627824f15f94e9da2f10f67f6115f0a12c985882897864dfce5b970bbe313ad1d8d
7
- data.tar.gz: cf4dd94d64857da8e8b4a197fbe725645c268b9ac770bd9a354b0dfdcd2bfbf7a7a6d1bdffea735527fa8286e6a7ff00651cffb3374f6ebdba80598c1439c47e
6
+ metadata.gz: 8bf45fd0eee54a74b1a330d89331005cfb4891b4d41163de5a69fd092d57c040cd27f3ef8bd55efe73812198dff3ed867fcb5a2b8df6a78752061daf7436337a
7
+ data.tar.gz: 99f0b954470431b96da223d1d6878d7b50febadf6fcd13048bbf0ed44e0669a7be548d3c61adfd575e8b9c207bfb3763d533cb804eb0e54bebf5d97d9f855e25
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ ## Rails 6.1.7.3 (March 13, 2023) ##
2
+
3
+ * Ignore certain data-* attributes in rails-ujs when element is contenteditable
4
+
5
+ [CVE-2023-23913]
6
+
7
+
1
8
  ## Rails 6.1.7.2 (January 24, 2023) ##
2
9
 
3
10
  * No changes.
data/lib/action_view/gem_version.rb CHANGED
@@ -10,7 +10,7 @@ module ActionView
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
12
  TINY = 7
13
- PRE = "2"
13
+ PRE = "3"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
data/lib/assets/compiled/rails-ujs.js CHANGED
@@ -73,6 +73,22 @@ Released under the MIT license
73
73
  return element[expando][key] = value;
74
74
  };
75
75
 
76
+ Rails.isContentEditable = function(element) {
77
+ var isEditable;
78
+ isEditable = false;
79
+ while (true) {
80
+ if (element.isContentEditable) {
81
+ isEditable = true;
82
+ break;
83
+ }
84
+ element = element.parentElement;
85
+ if (!element) {
86
+ break;
87
+ }
88
+ }
89
+ return isEditable;
90
+ };
91
+
76
92
  Rails.$ = function(selector) {
77
93
  return Array.prototype.slice.call(document.querySelectorAll(selector));
78
94
  };
@@ -395,9 +411,9 @@ Released under the MIT license
395
411
 
396
412
  }).call(this);
397
413
  (function() {
398
- var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
414
+ var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
399
415
 
400
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
416
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
401
417
 
402
418
  Rails.handleDisabledElement = function(e) {
403
419
  var element;
@@ -417,6 +433,9 @@ Released under the MIT license
417
433
  } else {
418
434
  element = e;
419
435
  }
436
+ if (isContentEditable(element)) {
437
+ return;
438
+ }
420
439
  if (matches(element, Rails.linkDisableSelector)) {
421
440
  return enableLinkElement(element);
422
441
  } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -429,6 +448,9 @@ Released under the MIT license
429
448
  Rails.disableElement = function(e) {
430
449
  var element;
431
450
  element = e instanceof Event ? e.target : e;
451
+ if (isContentEditable(element)) {
452
+ return;
453
+ }
432
454
  if (matches(element, Rails.linkDisableSelector)) {
433
455
  return disableLinkElement(element);
434
456
  } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -513,10 +535,12 @@ Released under the MIT license
513
535
 
514
536
  }).call(this);
515
537
  (function() {
516
- var stopEverything;
538
+ var isContentEditable, stopEverything;
517
539
 
518
540
  stopEverything = Rails.stopEverything;
519
541
 
542
+ isContentEditable = Rails.isContentEditable;
543
+
520
544
  Rails.handleMethod = function(e) {
521
545
  var csrfParam, csrfToken, form, formContent, href, link, method;
522
546
  link = this;
@@ -524,6 +548,9 @@ Released under the MIT license
524
548
  if (!method) {
525
549
  return;
526
550
  }
551
+ if (isContentEditable(this)) {
552
+ return;
553
+ }
527
554
  href = Rails.href(link);
528
555
  csrfToken = Rails.csrfToken();
529
556
  csrfParam = Rails.csrfParam();
@@ -545,10 +572,10 @@ Released under the MIT license
545
572
 
546
573
  }).call(this);
547
574
  (function() {
548
- var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
575
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
549
576
  slice = [].slice;
550
577
 
551
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
578
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
552
579
 
553
580
  isRemote = function(element) {
554
581
  var value;
@@ -566,6 +593,10 @@ Released under the MIT license
566
593
  fire(element, 'ajax:stopped');
567
594
  return false;
568
595
  }
596
+ if (isContentEditable(element)) {
597
+ fire(element, 'ajax:stopped');
598
+ return false;
599
+ }
569
600
  withCredentials = element.getAttribute('data-with-credentials');
570
601
  dataType = element.getAttribute('data-type') || 'script';
571
602
  if (matches(element, Rails.formSubmitSelector)) {
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionview
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.7.2
4
+ version: 6.1.7.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-01-25 00:00:00.000000000 Z
11
+ date: 2023-03-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.7.2
19
+ version: 6.1.7.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.7.2
26
+ version: 6.1.7.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: builder
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 6.1.7.2
95
+ version: 6.1.7.3
96
96
  type: :development
97
97
  prerelease: false
98
98
  version_requirements: !ruby/object:Gem::Requirement
99
99
  requirements:
100
100
  - - '='
101
101
  - !ruby/object:Gem::Version
102
- version: 6.1.7.2
102
+ version: 6.1.7.3
103
103
  - !ruby/object:Gem::Dependency
104
104
  name: activemodel
105
105
  requirement: !ruby/object:Gem::Requirement
106
106
  requirements:
107
107
  - - '='
108
108
  - !ruby/object:Gem::Version
109
- version: 6.1.7.2
109
+ version: 6.1.7.3
110
110
  type: :development
111
111
  prerelease: false
112
112
  version_requirements: !ruby/object:Gem::Requirement
113
113
  requirements:
114
114
  - - '='
115
115
  - !ruby/object:Gem::Version
116
- version: 6.1.7.2
116
+ version: 6.1.7.3
117
117
  description: Simple, battle-tested conventions and helpers for building web pages.
118
118
  email: david@loudthinking.com
119
119
  executables: []
@@ -239,10 +239,10 @@ licenses:
239
239
  - MIT
240
240
  metadata:
241
241
  bug_tracker_uri: https://github.com/rails/rails/issues
242
- changelog_uri: https://github.com/rails/rails/blob/v6.1.7.2/actionview/CHANGELOG.md
243
- documentation_uri: https://api.rubyonrails.org/v6.1.7.2/
242
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.7.3/actionview/CHANGELOG.md
243
+ documentation_uri: https://api.rubyonrails.org/v6.1.7.3/
244
244
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
245
- source_code_uri: https://github.com/rails/rails/tree/v6.1.7.2/actionview
245
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.7.3/actionview
246
246
  rubygems_mfa_required: 'true'
247
247
  post_install_message:
248
248
  rdoc_options: []