Updated @rails/ujs files to follow 8e3449908c59858384ae230d1416c7dcabc8c2dc.
This change was built by `$ yarn build` in actionview.
This commit includes the following changes into build files.
- 8e3449908c
This commit is contained in:
Ryunosuke Sato
parent
77a5605015
commit
8b18d44d17
@ -1,3 +1,10 @@
|
||||
* Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
|
||||
|
||||
This fix was already landed in >= 7.0.4.3, < 7.1.0.
|
||||
[[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
|
||||
|
||||
*Ryunosuke Sato*
|
||||
|
||||
* Added validation for HTML tag names in the `tag` and `content_tag` helper method. The `tag` and
|
||||
`content_tag` method now checks that the provided tag name adheres to the HTML specification. If
|
||||
an invalid HTML tag name is provided, the method raises an `ArgumentError` with an appropriate error
|
||||
|
||||
@ -58,6 +58,18 @@ const setData = function(element, key, value) {
|
||||
|
||||
const $ = selector => Array.prototype.slice.call(document.querySelectorAll(selector));
|
||||
|
||||
const isContentEditable = function(element) {
|
||||
var isEditable = false;
|
||||
do {
|
||||
if (element.isContentEditable) {
|
||||
isEditable = true;
|
||||
break;
|
||||
}
|
||||
element = element.parentElement;
|
||||
} while (element);
|
||||
return isEditable;
|
||||
};
|
||||
|
||||
const csrfToken = () => {
|
||||
const meta = document.querySelector("meta[name=csrf-token]");
|
||||
return meta && meta.content;
|
||||
@ -336,6 +348,9 @@ const enableElement = e => {
|
||||
} else {
|
||||
element = e;
|
||||
}
|
||||
if (isContentEditable(element)) {
|
||||
return;
|
||||
}
|
||||
if (matches(element, linkDisableSelector)) {
|
||||
return enableLinkElement(element);
|
||||
} else if (matches(element, buttonDisableSelector) || matches(element, formEnableSelector)) {
|
||||
@ -347,6 +362,9 @@ const enableElement = e => {
|
||||
|
||||
const disableElement = e => {
|
||||
const element = e instanceof Event ? e.target : e;
|
||||
if (isContentEditable(element)) {
|
||||
return;
|
||||
}
|
||||
if (matches(element, linkDisableSelector)) {
|
||||
return disableLinkElement(element);
|
||||
} else if (matches(element, buttonDisableSelector) || matches(element, formDisableSelector)) {
|
||||
@ -426,6 +444,9 @@ const handleMethodWithRails = rails => function(e) {
|
||||
if (!method) {
|
||||
return;
|
||||
}
|
||||
if (isContentEditable(this)) {
|
||||
return;
|
||||
}
|
||||
const href = rails.href(link);
|
||||
const csrfToken$1 = csrfToken();
|
||||
const csrfParam$1 = csrfParam();
|
||||
@ -460,6 +481,10 @@ const handleRemoteWithRails = rails => function(e) {
|
||||
fire(element, "ajax:stopped");
|
||||
return false;
|
||||
}
|
||||
if (isContentEditable(element)) {
|
||||
fire(element, "ajax:stopped");
|
||||
return false;
|
||||
}
|
||||
const withCredentials = element.getAttribute("data-with-credentials");
|
||||
const dataType = element.getAttribute("data-type") || "script";
|
||||
if (matches(element, formSubmitSelector)) {
|
||||
@ -665,4 +690,4 @@ if (typeof exports !== "object" && typeof module === "undefined") {
|
||||
}
|
||||
}
|
||||
|
||||
export default Rails;
|
||||
export { Rails as default };
|
||||
|
||||
@ -44,6 +44,17 @@ Released under the MIT license
|
||||
return element[EXPANDO][key] = value;
|
||||
};
|
||||
const $ = selector => Array.prototype.slice.call(document.querySelectorAll(selector));
|
||||
const isContentEditable = function(element) {
|
||||
var isEditable = false;
|
||||
do {
|
||||
if (element.isContentEditable) {
|
||||
isEditable = true;
|
||||
break;
|
||||
}
|
||||
element = element.parentElement;
|
||||
} while (element);
|
||||
return isEditable;
|
||||
};
|
||||
const csrfToken = () => {
|
||||
const meta = document.querySelector("meta[name=csrf-token]");
|
||||
return meta && meta.content;
|
||||
@ -298,6 +309,9 @@ Released under the MIT license
|
||||
} else {
|
||||
element = e;
|
||||
}
|
||||
if (isContentEditable(element)) {
|
||||
return;
|
||||
}
|
||||
if (matches(element, linkDisableSelector)) {
|
||||
return enableLinkElement(element);
|
||||
} else if (matches(element, buttonDisableSelector) || matches(element, formEnableSelector)) {
|
||||
@ -308,6 +322,9 @@ Released under the MIT license
|
||||
};
|
||||
const disableElement = e => {
|
||||
const element = e instanceof Event ? e.target : e;
|
||||
if (isContentEditable(element)) {
|
||||
return;
|
||||
}
|
||||
if (matches(element, linkDisableSelector)) {
|
||||
return disableLinkElement(element);
|
||||
} else if (matches(element, buttonDisableSelector) || matches(element, formDisableSelector)) {
|
||||
@ -379,6 +396,9 @@ Released under the MIT license
|
||||
if (!method) {
|
||||
return;
|
||||
}
|
||||
if (isContentEditable(this)) {
|
||||
return;
|
||||
}
|
||||
const href = rails.href(link);
|
||||
const csrfToken$1 = csrfToken();
|
||||
const csrfParam$1 = csrfParam();
|
||||
@ -411,6 +431,10 @@ Released under the MIT license
|
||||
fire(element, "ajax:stopped");
|
||||
return false;
|
||||
}
|
||||
if (isContentEditable(element)) {
|
||||
fire(element, "ajax:stopped");
|
||||
return false;
|
||||
}
|
||||
const withCredentials = element.getAttribute("data-with-credentials");
|
||||
const dataType = element.getAttribute("data-type") || "script";
|
||||
if (matches(element, formSubmitSelector)) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user