Skip to content

Commit

Permalink
Upgrade Trix to 2.1.1 to fix [CVE-2024-34341][1]
Browse files Browse the repository at this point in the history 
[1]: GHSA-qjqp-xr96-cj99
  • Loading branch information
@rafaelfranca
rafaelfranca committed May 16, 2024
1 parent 6f0d1ad commit 260cb39
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 31 deletions.
5 changes: 5 additions & 0 deletions actiontext/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
* Upgrade Trix to 1.3.2 to fix [CVE-2024-34341](https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99).

*Rafael Mendonça França*


## Rails 7.1.3.2 (February 21, 2024) ##

* No changes.
Expand Down
122 changes: 92 additions & 30 deletions actiontext/app/assets/javascripts/trix.js
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/*
Trix 2.0.7
Copyright © 2023 37signals, LLC
Trix 2.1.1
Copyright © 2024 37signals, LLC
*/
(function (global, factory) {
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
Expand All @@ -9,14 +9,15 @@ Copyright © 2023 37signals, LLC
})(this, (function () { 'use strict';

var name = "trix";
var version = "2.0.7";
var version = "2.1.1";
var description = "A rich text editor for everyday writing";
var main = "dist/trix.umd.min.js";
var module = "dist/trix.esm.min.js";
var style = "dist/trix.css";
var files = [
"dist/*.css",
"dist/*.js",
"dist/*.map",
"src/{inspector,trix}/*.js"
];
var repository = {
Expand Down Expand Up @@ -130,6 +131,7 @@ Copyright © 2023 37signals, LLC
code: {
tagName: "pre",
terminal: true,
htmlAttributes: ["language"],
text: {
plaintext: true
}
Expand Down Expand Up @@ -1215,7 +1217,7 @@ $\
no-useless-escape,
*/
const normalizeSpaces = string => string.replace(new RegExp("".concat(ZERO_WIDTH_SPACE), "g"), "").replace(new RegExp("".concat(NON_BREAKING_SPACE), "g"), " ");
const normalizeNewlines = string => string.replace(/\r\n/g, "\n");
const normalizeNewlines = string => string.replace(/\r\n?/g, "\n");
const breakableWhitespacePattern = new RegExp("[^\\S".concat(NON_BREAKING_SPACE, "]"));
const squishBreakableWhitespace = string => string
// Replace all breakable whitespace characters with a space
Expand Down Expand Up @@ -2144,20 +2146,28 @@ $\
}
}
createContainerElement(depth) {
let attributes, className;
const attributes = {};
let className;
const attributeName = this.attributes[depth];
const {
tagName
tagName,
htmlAttributes = []
} = getBlockConfig(attributeName);
if (depth === 0 && this.block.isRTL()) {
attributes = {
Object.assign(attributes, {
dir: "rtl"
};
});
}
if (attributeName === "attachmentGallery") {
const size = this.block.getBlockBreakPosition();
className = "".concat(css$1.attachmentGallery, " ").concat(css$1.attachmentGallery, "--").concat(size);
}
Object.entries(this.block.htmlAttributes).forEach(_ref => {
let [name, value] = _ref;
if (htmlAttributes.includes(name)) {
attributes[name] = value;
}
});
return makeElement({
tagName,
className,
Expand Down Expand Up @@ -5828,28 +5838,29 @@ $\
class Block extends TrixObject {
static fromJSON(blockJSON) {
const text = Text.fromJSON(blockJSON.text);
return new this(text, blockJSON.attributes);
return new this(text, blockJSON.attributes, blockJSON.htmlAttributes);
}
constructor(text, attributes) {
constructor(text, attributes, htmlAttributes) {
super(...arguments);
this.text = applyBlockBreakToText(text || new Text());
this.attributes = attributes || [];
this.htmlAttributes = htmlAttributes || {};
}
isEmpty() {
return this.text.isBlockBreak();
}
isEqualTo(block) {
if (super.isEqualTo(block)) return true;
return this.text.isEqualTo(block === null || block === void 0 ? void 0 : block.text) && arraysAreEqual(this.attributes, block === null || block === void 0 ? void 0 : block.attributes);
return this.text.isEqualTo(block === null || block === void 0 ? void 0 : block.text) && arraysAreEqual(this.attributes, block === null || block === void 0 ? void 0 : block.attributes) && objectsAreEqual(this.htmlAttributes, block === null || block === void 0 ? void 0 : block.htmlAttributes);
}
copyWithText(text) {
return new Block(text, this.attributes);
return new Block(text, this.attributes, this.htmlAttributes);
}
copyWithoutText() {
return this.copyWithText(null);
}
copyWithAttributes(attributes) {
return new Block(this.text, attributes);
return new Block(this.text, attributes, this.htmlAttributes);
}
copyWithoutAttributes() {
return this.copyWithAttributes(null);
Expand All @@ -5866,6 +5877,12 @@ $\
const attributes = this.attributes.concat(expandAttribute(attribute));
return this.copyWithAttributes(attributes);
}
addHTMLAttribute(attribute, value) {
const htmlAttributes = Object.assign({}, this.htmlAttributes, {
[attribute]: value
});
return new Block(this.text, this.attributes, htmlAttributes);
}
removeAttribute(attribute) {
const {
listAttribute
Expand Down Expand Up @@ -5962,7 +5979,8 @@ $\
toJSON() {
return {
text: this.text,
attributes: this.attributes
attributes: this.attributes,
htmlAttributes: this.htmlAttributes
};
}

Expand Down Expand Up @@ -6325,6 +6343,11 @@ $\
const range = this.getRangeOfAttachment(attachment);
return this.removeAttributeAtRange(attribute, range);
}
setHTMLAttributeAtPosition(position, name, value) {
const block = this.getBlockAtPosition(position);
const updatedBlock = block.addHTMLAttribute(name, value);
return this.replaceBlock(block, updatedBlock);
}
insertBlockBreakAtRange(range) {
let blocks;
range = normalizeRange(range);
Expand Down Expand Up @@ -6793,9 +6816,9 @@ $\
return attributes;
};

const DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ");
const DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height language class".split(" ");
const DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ");
const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form".split(" ");
const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript".split(" ");
class HTMLSanitizer extends BasicObject {
static sanitize(html, options) {
const sanitizer = new this(html, options);
Expand Down Expand Up @@ -6923,15 +6946,21 @@ $\
};
const blockForAttributes = function () {
let attributes = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
let htmlAttributes = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
const text = [];
return {
text,
attributes
attributes,
htmlAttributes
};
};
const parseTrixDataAttribute = (element, name) => {
try {
return JSON.parse(element.getAttribute("data-trix-".concat(name)));
const data = JSON.parse(element.getAttribute("data-trix-".concat(name)));
if (data.contentType === "text/html" && data.content) {
data.content = HTMLSanitizer.sanitize(data.content).getHTML();
}
return data;
} catch (error) {
return {};
}
Expand Down Expand Up @@ -7027,8 +7056,9 @@ $\
} else if (element === this.containerElement || this.isBlockElement(element)) {
var _this$currentBlock;
const attributes = this.getBlockAttributes(element);
const htmlAttributes = this.getBlockHTMLAttributes(element);
if (!arraysAreEqual(attributes, (_this$currentBlock = this.currentBlock) === null || _this$currentBlock === void 0 ? void 0 : _this$currentBlock.attributes)) {
this.currentBlock = this.appendBlockForAttributesWithElement(attributes, element);
this.currentBlock = this.appendBlockForAttributesWithElement(attributes, element, htmlAttributes);
this.currentBlockElement = element;
}
}
Expand All @@ -7039,9 +7069,10 @@ $\
if (elementIsBlockElement && !this.isBlockElement(element.firstChild)) {
if (!this.isInsignificantTextNode(element.firstChild) || !this.isBlockElement(element.firstElementChild)) {
const attributes = this.getBlockAttributes(element);
const htmlAttributes = this.getBlockHTMLAttributes(element);
if (element.firstChild) {
if (!(currentBlockContainsElement && arraysAreEqual(attributes, this.currentBlock.attributes))) {
this.currentBlock = this.appendBlockForAttributesWithElement(attributes, element);
this.currentBlock = this.appendBlockForAttributesWithElement(attributes, element, htmlAttributes);
this.currentBlockElement = element;
} else {
return this.appendStringWithAttributes("\n");
Expand Down Expand Up @@ -7129,8 +7160,9 @@ $\
// Document construction

appendBlockForAttributesWithElement(attributes, element) {
let htmlAttributes = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : {};
this.blockElements.push(element);
const block = blockForAttributes(attributes);
const block = blockForAttributes(attributes, htmlAttributes);
this.blocks.push(block);
return block;
}
Expand Down Expand Up @@ -7235,6 +7267,17 @@ $\
}
return attributes$1.reverse();
}
getBlockHTMLAttributes(element) {
const attributes$1 = {};
const blockConfig = Object.values(attributes).find(settings => settings.tagName === tagName(element));
const allowedAttributes = (blockConfig === null || blockConfig === void 0 ? void 0 : blockConfig.htmlAttributes) || [];
allowedAttributes.forEach(attribute => {
if (element.hasAttribute(attribute)) {
attributes$1[attribute] = element.getAttribute(attribute);
}
});
return attributes$1;
}
findBlockElementAncestors(element) {
const ancestors = [];
while (element && element !== this.containerElement) {
Expand Down Expand Up @@ -7830,6 +7873,15 @@ $\
return this.notifyDelegateOfCurrentAttributesChange();
}
}
setHTMLAtributeAtPosition(position, attributeName, value) {
var _getBlockConfig;
const block = this.document.getBlockAtPosition(position);
const allowedHTMLAttributes = (_getBlockConfig = getBlockConfig(block.getLastAttribute())) === null || _getBlockConfig === void 0 ? void 0 : _getBlockConfig.htmlAttributes;
if (block && allowedHTMLAttributes !== null && allowedHTMLAttributes !== void 0 && allowedHTMLAttributes.includes(attributeName)) {
const newDocument = this.document.setHTMLAttributeAtPosition(position, attributeName, value);
this.setDocument(newDocument);
}
}
setTextAttribute(attributeName, value) {
const selectedRange = this.getSelectedRange();
if (!selectedRange) return;
Expand Down Expand Up @@ -7877,10 +7929,10 @@ $\
return ((_this$getBlock = this.getBlock()) === null || _this$getBlock === void 0 ? void 0 : _this$getBlock.getNestingLevel()) > 0;
}
canIncreaseNestingLevel() {
var _getBlockConfig;
var _getBlockConfig2;
const block = this.getBlock();
if (!block) return;
if ((_getBlockConfig = getBlockConfig(block.getLastNestableAttribute())) !== null && _getBlockConfig !== void 0 && _getBlockConfig.listAttribute) {
if ((_getBlockConfig2 = getBlockConfig(block.getLastNestableAttribute())) !== null && _getBlockConfig2 !== void 0 && _getBlockConfig2.listAttribute) {
const previousBlock = this.getPreviousBlock();
if (previousBlock) {
return arrayStartsWith(previousBlock.getListItemAttributes(), block.getListItemAttributes());
Expand Down Expand Up @@ -8521,6 +8573,11 @@ $\
return this.composition.removeCurrentAttribute(name);
}

// HTML attributes
setHTMLAtributeAtPosition(position, name, value) {
this.composition.setHTMLAtributeAtPosition(position, name, value);
}

// Nesting level

canDecreaseNestingLevel() {
Expand Down Expand Up @@ -10941,8 +10998,12 @@ $\
});
},
insertReplacementText() {
return this.insertString(this.event.dataTransfer.getData("text/plain"), {
updatePosition: false
const replacement = this.event.dataTransfer.getData("text/plain");
const domRange = this.event.getTargetRanges()[0];
this.withTargetDOMRange(domRange, () => {
this.insertString(replacement, {
updatePosition: false
});
});
},
insertText() {
Expand Down Expand Up @@ -11064,7 +11125,7 @@ $\
return this.toggleDialog(actionName);
} else {
var _this$delegate2;
return (_this$delegate2 = this.delegate) === null || _this$delegate2 === void 0 ? void 0 : _this$delegate2.toolbarDidInvokeAction(actionName);
return (_this$delegate2 = this.delegate) === null || _this$delegate2 === void 0 ? void 0 : _this$delegate2.toolbarDidInvokeAction(actionName, element);
}
}
didClickAttributeButton(event, element) {
Expand Down Expand Up @@ -11509,8 +11570,8 @@ $\
});
}
}
toolbarDidInvokeAction(actionName) {
return this.invokeAction(actionName);
toolbarDidInvokeAction(actionName, invokingElement) {
return this.invokeAction(actionName, invokingElement);
}
toolbarDidToggleAttribute(attributeName) {
this.recordFormattingUndoEntry(attributeName);
Expand Down Expand Up @@ -11579,10 +11640,11 @@ $\
return !!((_this$actions$actionN = this.actions[actionName]) !== null && _this$actions$actionN !== void 0 && (_this$actions$actionN = _this$actions$actionN.test) !== null && _this$actions$actionN !== void 0 && _this$actions$actionN.call(this));
}
}
invokeAction(actionName) {
invokeAction(actionName, invokingElement) {
if (this.actionIsExternal(actionName)) {
return this.notifyEditorElement("action-invoke", {
actionName
actionName,
invokingElement
});
} else {
var _this$actions$actionN2;
Expand Down
4 changes: 3 additions & 1 deletion actiontext/app/assets/stylesheets/trix.css
View file
Original file line number Diff line number Diff line change
Expand Up @@ -334,7 +334,9 @@ trix-editor .attachment__metadata {
white-space: nowrap; }

.trix-content {
line-height: 1.5; }
line-height: 1.5;
overflow-wrap: break-word;
word-break: break-word; }
.trix-content * {
box-sizing: border-box;
margin: 0;
Expand Down

0 comments on commit 260cb39

Please sign in to comment.