Additional fixes for XSS vulnerability CVE-2023-23913
Last week we have written to you about a possible XSS issue for rails-ujs in combination with contenteditable HTML elements. rails-ujs is the Javascript that supports features like "remote: true" or "method: :patch" for links etc.
Note that all this only affects you if your app uses contenteditable HTML elements which is somewhat of a rarity.
We already fixed this issue for Rails 5.2 LTS apps that use the rails-ujs version bundled within Actionview via the asset pipeline. Read on if you have another Rails LTS version or use the rails-ujs or query-ujs NPM package.
Rails 2.3 LTS is not affected.
Fixes
We fixed a similar issue to CVE-2023-23913 in the following packages:
The NPM package jquery-ujs
The NPM package rails-ujs
The gem rails-ujs
The gem jquery-rails
Rails apps use different ways of handling asset packages. Please choose the one corresponding to your current setup:
If you use the NPM package jquery-ujs, replace it with @railslts/jquery-ujs. Replace jquery-ujs with the following in your package.json dependencies: "@railslts/jquery-ujs": "^1.2"
If you use the NPM package rails-ujs, replace it with @railslts/rails-ujs. Replace rails-ujs with the following in your package.json dependencies: "@railslts/rails-ujs": "^5.2"
(If you use the lastest version of the NPM package @rails/ujs you do not need to upgrade.)
If you use the gem rails-ujs, upgrade it to our fork. Replace gem "rails-ujs" with the following line in your Gemfile: gem "rails-ujs", git: "https://github.com/rails-lts/rails-ujs", branch: "lts"
If you use the gem jquery-rails, upgrade it to our fork. Replace gem "jquery-rails" with the following line in your Gemfile: gem "jquery-rails", git: "https://github.com/rails-lts/jquery-rails", branch: "lts"
If you depend on the older 3-1-stable release of the jquery-rails gem, please replace the gem "jquery-rails" with the following line to your Gemfile: gem "jquery-rails", git: "https://github.com/rails-lts/jquery-rails", branch: "lts-3-1-stable"
