mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-08 00:50:22 +09:00
52ccd24efa
Security fix for 3 stored/DOM XSS advisories in Trix:
GHSA-g9jg-w8vm-g96v (attachment attribute), GHSA-qmpg-8xg6-ph5q
(serialized attributes), GHSA-53p3-c7vp-4mcc (JSON deserialization
bypass in drag-and-drop).
EXPOSED: campfire's composer/editor use Trix for message bodies, and the
browser actually ran the hand-vendored vendor/javascript/trix.esm.min.js
pinned at 2.0.10 — which lacks the DOMPurify/isValidAttribute sanitizers.
The gem bump alone is a no-op for the browser; the real fix is
re-vendoring the ESM build:
- bump gem to 2.1.19 (Gemfile.lock)
- re-vendor vendor/javascript/trix.esm.min.js from Trix 2.1.19
(2.0.10 → 2.1.19; bundles DOMPurify 3.4.2, rangy 1.3.2)
- update importmap pin comment @2.0.10 → @2.1.19
89 commits analyzed. Verified green via full unit + system suites
(system tests drive the Trix composer via fill_in_rich_text_area).
https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-action_text-trix_v2.1.15..v2.1.19.md
🤖 Assisted by Claude
19 lines
827 B
Ruby
19 lines
827 B
Ruby
pin "application"
|
|
|
|
pin "@hotwired/stimulus", to: "stimulus.min.js"
|
|
pin "@hotwired/stimulus-loading", to: "stimulus-loading.js"
|
|
pin "@hotwired/turbo-rails", to: "turbo.js"
|
|
pin "@rails/actioncable", to: "actioncable.esm.js"
|
|
pin "@rails/request.js", to: "@rails--request.js" # @0.0.8
|
|
pin "trix", to: "trix.esm.min.js" # @2.1.19
|
|
pin "@rails/actiontext", to: "actiontext.js"
|
|
pin "highlight.js", to: "highlight.js/core.js"
|
|
|
|
pin_all_from "app/javascript/initializers", under: "initializers"
|
|
pin_all_from "app/javascript/lib", under: "lib"
|
|
pin_all_from "app/javascript/channels", under: "channels"
|
|
pin_all_from "app/javascript/controllers", under: "controllers"
|
|
pin_all_from "app/javascript/helpers", under: "helpers"
|
|
pin_all_from "app/javascript/models", under: "models"
|
|
pin_all_from "vendor/javascript/languages", under: "languages"
|