rubygem-actionview/CVE-2023-23913.patch

Refer:
https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
https://build.opensuse.org/projects/SUSE:SLE-15:Update/packages/rubygem-actionview-5_1/files/rubygem-actionview-5_1-CVE-2023-23913.patch?expand=1

From 5037a13614di71727af8a175063bcf6ba1a74bdbd Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Mon, 16 Jan 2023 09:43:54 -0500
Subject: [PATCH] Ignore certain data-* attributes in rails-ujs when element is
 contenteditable

There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to occur
when pasting malicious HTML content from the clipboard that includes
a data-method, data-disable-with or data-remote attribute.

[CVE-2023-23913]

---
 lib/assets/compiled/rails-ujs.js | 41 ++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/lib/assets/compiled/rails-ujs.js b/lib/assets/compiled/rails-ujs.js
index 2176247..d428163 100644
--- a/lib/assets/compiled/rails-ujs.js
+++ b/lib/assets/compiled/rails-ujs.js
@@ -73,6 +73,22 @@ Released under the MIT license
         return element[expando][key] = value;
       };
 
+      Rails.isContentEditable = function(element) {
+        var isEditable;
+        isEditable = false;
+        while (true) {
+          if (element.isContentEditable) {
+            isEditable = true;
+            break;
+          }
+          element = element.parentElement;
+          if (!element) {
+            break;
+          }
+        }
+        return isEditable;
+      };
+
       Rails.$ = function(selector) {
         return Array.prototype.slice.call(document.querySelectorAll(selector));
       };
@@ -395,9 +411,9 @@ Released under the MIT license
 
     }).call(this);
     (function() {
-      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isXhrRedirect, matches, setData, stopEverything;
+      var disableFormElement, disableFormElements, disableLinkElement, enableFormElement, enableFormElements, enableLinkElement, formElements, getData, isContentEditable, isXhrRedirect, matches, setData, stopEverything;
 
-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements;
+      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, stopEverything = Rails.stopEverything, formElements = Rails.formElements, isContentEditable = Rails.isContentEditable;
 
       Rails.handleDisabledElement = function(e) {
         var element;
@@ -417,6 +433,9 @@ Released under the MIT license
         } else {
           element = e;
         }
+        if (isContentEditable(element)) {
+          return;
+        }
         if (matches(element, Rails.linkDisableSelector)) {
           return enableLinkElement(element);
         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formEnableSelector)) {
@@ -429,6 +448,9 @@ Released under the MIT license
       Rails.disableElement = function(e) {
         var element;
         element = e instanceof Event ? e.target : e;
+        if (isContentEditable(element)) {
+          return;
+        }
         if (matches(element, Rails.linkDisableSelector)) {
           return disableLinkElement(element);
         } else if (matches(element, Rails.buttonDisableSelector) || matches(element, Rails.formDisableSelector)) {
@@ -513,10 +535,12 @@ Released under the MIT license
 
     }).call(this);
     (function() {
-      var stopEverything;
+      var isContentEditable, stopEverything;
 
       stopEverything = Rails.stopEverything;
 
+      isContentEditable = Rails.isContentEditable;
+
       Rails.handleMethod = function(e) {
         var csrfParam, csrfToken, form, formContent, href, link, method;
         link = this;
@@ -524,6 +548,9 @@ Released under the MIT license
         if (!method) {
           return;
         }
+        if (isContentEditable(this)) {
+          return;
+        }
         href = Rails.href(link);
         csrfToken = Rails.csrfToken();
         csrfParam = Rails.csrfParam();
@@ -545,10 +572,10 @@ Released under the MIT license
 
     }).call(this);
     (function() {
-      var ajax, fire, getData, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
+      var ajax, fire, getData, isContentEditable, isCrossDomain, isRemote, matches, serializeElement, setData, stopEverything,
         slice = [].slice;
 
-      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement;
+      matches = Rails.matches, getData = Rails.getData, setData = Rails.setData, fire = Rails.fire, stopEverything = Rails.stopEverything, ajax = Rails.ajax, isCrossDomain = Rails.isCrossDomain, serializeElement = Rails.serializeElement, isContentEditable = Rails.isContentEditable;
 
       isRemote = function(element) {
         var value;
@@ -566,6 +593,10 @@ Released under the MIT license
           fire(element, 'ajax:stopped');
           return false;
         }
+        if (isContentEditable(element)) {
+          fire(element, 'ajax:stopped');
+          return false;
+        }
         withCredentials = element.getAttribute('data-with-credentials');
         dataType = element.getAttribute('data-type') || 'script';
         if (matches(element, Rails.formSubmitSelector)) {
-- 
2.33.0