🚨 [security] [ruby] Update action_text-trix 2.1.17 → 2.1.18 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ action_text-trix (indirect, 2.1.17 → 2.1.18) · Repo · Changelog

Security Advisories 🚨

🚨 Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)

Impact

The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support).

The StringPiece.fromJSON method trusted href attributes from the JSON payload without sanitization. An attacker could craft a draggable element containing a javascript: URI in the href attribute that, when dropped into a vulnerable editor, would bypass DOMPurify sanitization and inject executable JavaScript into the DOM.

Exploitation requires a specific environment (Level0InputController fallback) and social engineering (victim must drag and drop attacker-controlled content into the editor). Applications using server-side HTML sanitization (such as Rails' built-in sanitizer) are additionally protected, as the payload is neutralized on save.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later.

References

The XSS vulnerability was responsibly reported by Hackerone researcher newbiefromcoma.

Release Notes

2.1.18

Security

• Sanitize javascript: URI in JSON drag-drop deserialization by @flavorjones in #1293

Infrastructure/CI

• ci: harden GitHub Actions workflows by @flavorjones in #1284

Full Changelog: v2.1.17...v2.1.18

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• v2.1.18
• Fix XSS via javascript: URI in JSON drag-drop deserialization (#1293)
• ci: harden GitHub Actions workflows (#1284)

↗️ json (indirect, 2.19.2 → 2.19.3) · Repo · Changelog

Release Notes

2.19.3

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• Release 2.19.3
• Fix handling of unescaped control characters preceeded by a backslash

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)