Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: basecamp/trix
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.1.11
Choose a base ref
...
head repository: basecamp/trix
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.1.12
Choose a head ref
  • 6 commits
  • 4 files changed
  • 3 contributors

Commits on Dec 18, 2024

  1. Fix XSS via javascript: url in a link 

    Prevously, was possible to trigger XSS setting as link an URL like
`javascript:alert('XSS')`.
Fix it via a custom HTML input validation pattern to block both
`javascript:` and `data:` URLs.
    Jacopo Beschi committed Dec 18, 2024
    Configuration menu
    Copy the full SHA
    12ee782 View commit details
    Browse the repository at this point in the history

Commits on Dec 19, 2024

  1. Switch from JS pattern to DOMPurity.isValidAttribute 

    This should any cover edge case not covered by the Regexp.
    Jacopo Beschi committed Dec 19, 2024
    Configuration menu
    Copy the full SHA
    f432478 View commit details
    Browse the repository at this point in the history

Commits on Dec 20, 2024

  1. Merge commit from fork 

    Fix XSS via `javascript:` url in a link
    @intrip
    intrip authored Dec 20, 2024
    Configuration menu
    Copy the full SHA
    180c8d3 View commit details
    Browse the repository at this point in the history

  2. Refactor link XSS patch 

    - use `isSafeAttribute` instead of `safeAttribute`
- Extract conditional to an outer if
- Add parenthesys for clarity
    Jacopo Beschi committed Dec 20, 2024
    Configuration menu
    Copy the full SHA
    c707f41 View commit details
    Browse the repository at this point in the history

  3. Merge pull request #1218 from basecamp/refactor-xss-fix 

    Refactor link XSS patch
    @intrip
    intrip authored Dec 20, 2024
    Configuration menu
    Copy the full SHA
    c4f0d6f View commit details
    Browse the repository at this point in the history

  4. v2.1.12

    @jorgemanrubia
    jorgemanrubia committed Dec 20, 2024
    Configuration menu
    Copy the full SHA
    7bf3e5a View commit details
    Browse the repository at this point in the history
Loading