🚨 [security] [js] Update trix 2.1.8 → 2.1.10 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ trix (2.1.8 → 2.1.10) · Repo

Security Advisories 🚨

🚨 Trix editor subject to XSS vulnerabilities on copy & paste

The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code.

Impact

An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.9 or later, which uses DOMPurify to sanitize the pasted content.

If using Trix 1.x, upgrade to version 1.3.3 or later.

Mitigations

This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References

The XSS vulnerability was reported by HackerOne researcher hiumee.
The mutation XSS vulnerability was reported by HackerOne researcher sudi.

Sorry, we couldn't find anything useful about this release.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codeclimate]

Code Climate has analyzed commit bed7eb6 and detected 0 issues on this pull request.

View more on Code Climate.

[github-actions]

This PR has been merged into main. The functionality will be available in the next release.

Please check the release guide for more information.