File rubygem-actionview-5_1-CVE-2023-23913.patch of Package rubygem-actionview-5_1.30716
Index: actionview-5.1.4/lib/assets/compiled/rails-ujs.js
===================================================================
--- actionview-5.1.4.orig/lib/assets/compiled/rails-ujs.js
+++ actionview-5.1.4/lib/assets/compiled/rails-ujs.js
@@ -58,6 +58,22 @@ Released under the MIT license
return element[expando][key] = value;
};
+ Rails.isContentEditable = function(element) {
+ var isEditable;
+ isEditable = false;
+ while (true) {
+ if (element.isContentEditable) {
+ isEditable = true;
+ break;
+ }
+ element = element.parentElement;
+ if (!element) {
+ break;
+ }
+ }
+ return isEditable;
+ };
+
Rails.$ = function(selector) {
return Array.prototype.slice.call(document.querySelectorAll(selector));
};
@@ -361,9 +377,9 @@ Released under the MIT license
}).call(this);
(function() {
- var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, matches, setData, stopEverything;
+ var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, matches, setData, stopEverything;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
Rails.handleDisabledElement = function(e) {
var element;
@@ -376,6 +392,9 @@ Released under the MIT license
Rails.enableElement = function(e) {
var element;
element = e instanceof Event ? e.target : e;
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return enableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -388,6 +407,9 @@ Released under the MIT license
Rails.disableElement = function(e) {
var element;
element = e instanceof Event ? e.target : e;
+ if (isContentEditable(element)) {
+ return;
+ }
if (matches(element, Rails.linkDisableSelector)) {
return disableLinkElement(element);
} else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -460,10 +482,12 @@ Released under the MIT license
}).call(this);
(function() {
- var stopEverything;
+ var isContentEditable, stopEverything;
stopEverything = Rails.stopEverything;
+ isContentEditable = Rails.isContentEditable;
+
Rails.handleMethod = function(e) {
var csrfParam, csrfToken, form, formContent, href, link, method;
link = this;
@@ -471,6 +495,9 @@ Released under the MIT license
if (!method) {
return;
}
+ if (isContentEditable(this)) {
+ return;
+ }
href = Rails.href(link);
csrfToken = Rails.csrfToken();
csrfParam = Rails.csrfParam();
@@ -492,10 +519,10 @@ Released under the MIT license
}).call(this);
(function() {
- var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+ var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
slice = [].slice;
- matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
+ matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
isRemote = function(element) {
var value;
@@ -513,6 +540,10 @@ Released under the MIT license
fire(element, 'ajax:stopped');
return false;
}
+ if (isContentEditable(element)) {
+ fire(element, 'ajax:stopped');
+ return false;
+ }
withCredentials = element.getAttribute('data-with-credentials');
dataType = element.getAttribute('data-type') || 'script';
if (matches(element, Rails.formSubmitSelector)) {
