🚨 [security] [js] Update trix 2.1.1 → 2.1.5 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ trix (2.1.1 → 2.1.5) · Repo

Security Advisories 🚨

🚨 Trix has a cross-site Scripting vulnerability on copy & paste

The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for GHSA-qjqp-xr96-cj99. In #1149, we added sanitation for Trix attachments with a text/html content type. However, Trix only checks the content type on the paste event's dataTransfer object. As long as the dataTransfer has a content type of text/html, Trix parses its contents and creates an Attachment with them, even if the attachment itself doesn't have a text/html content type. Trix then uses the attachment content to set the attachment element's innerHTML.

Impact

An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.4 or later, which incorporates proper sanitization of input from copied content.

Workarounds

This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References

• #1156
• https://github.com/basecamp/trix/releases/tag/v2.1.4
• #1149
• GHSA-qjqp-xr96-cj99
• MDN docs for DataTransfer

Credits

This vulnerability was reported by HackerOne researcher thwin_htet.

Release Notes

2.1.5

What's Changed

• Show placeholder text when it's empty by @michelleh in #1177

New Contributors

• @michelleh made their first contribution in #1177

Full Changelog: v2.1.4...v2.1.5

2.1.4

What's Changed

• Fix XSS vulnerability on paste by @afcapel in #1156

Full Changelog: 2.1.3...v2.1.4

2.1.2

• Fix for problem with suggestions in iOS 18 beta by @jorgemanrubia in #1165

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

• v2.1.5
• Merge pull request #1177 from basecamp/show-placeholder-when-empty
• Show placeholder text when it's empty
• v2.1.4
• Merge pull request #1156 from basecamp/paste-vuln
• Support browsers where getHTML is not supported
• Ensure we always sanitize HTML we set as innerHTML
• Drop defunct bin/release superseded by yarn release
• bin/release: upload .map files to release
• bin/release: narrow release files
• bin/release: drop needless copyright year updates and src commits
• bin/release: dist/ is no longer version controlled
• boop
• 2.1.3
• Refresh outdated bin/release
• Bump version to current 2.1.2 release
• Prioritize pasting files over pasting HTML content (#1148)
• Merge pull request #1165 from basecamp/bug+safari-autocomplete
• Fix problem with iOS beta 8 suggestions

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)