[Security] Bump actionview from 5.2.3 to 6.1.1

[dependabot-preview]

Bumps actionview from 5.2.3 to 6.1.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Possible XSS vulnerability in ActionView There is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks.

Versions Affected: All. Not affected: None. Fixed Versions: 6.0.2.2, 5.2.4.2

Impact

There is a possible XSS vulnerability in the j and escape_javascript methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this:

or

Patched versions: ~> 5.2.4, >= 5.2.4.2; >= 6.0.2.2 Unaffected versions: none

Sourced from The Ruby Advisory Database.

CSRF Vulnerability in rails-ujs There is an vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains.

Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

This is a regression of CVE-2015-1840.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent.

Workarounds

To work around this problem, change code that allows users to control the href attribute of an anchor

Patched versions: ~> 5.2.4.3; >= 6.0.3.1 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Potential XSS vulnerability in Action View There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks.

Impact

When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples:

Patched versions: ~> 5.2.4, >= 5.2.4.4; >= 6.0.3.3 Unaffected versions: none

Release notes

Sourced from actionview's releases.

6.1.1

Active Support

• Change IPAddr#to_json to match the behavior of the json gem returning the string representation instead of the instance variables of the object.

  Before:

  IPAddr.new("127.0.0.1").to_json
  # => "{\"addr\":2130706433,\"family\":2,\"mask_addr\":4294967295}"

  After:

  IPAddr.new("127.0.0.1").to_json
  # => "\"127.0.0.1\""

Active Model

• No changes.

Active Record

• Fix fixtures loading when strict loading is enabled for the association.

  Alex Ghiculescu

• Fix where with custom primary key for belongs_to association.

  Ryuta Kamizono

• Fix where with aliased associations.

  Ryuta Kamizono

• Fix composed_of with symbol mapping.

  Ryuta Kamizono

• Don't skip money's type cast for pluck and calculations.

  Ryuta Kamizono

Changelog

Sourced from actionview's changelog.

Rails 6.1.1 (January 07, 2021)

• Fix lazy translation in partial with block.

  Marek Kasztelnik

• Avoid extra SELECT COUNT queries when rendering Active Record collections.

  aar0nr

• Link preloading keep integrity hashes in the header.

  Étienne Barrié

• Add config.action_view.preload_links_header to allow disabling of the Link header being added by default when using stylesheet_link_tag and javascript_include_tag.

  Andrew White

• The translate helper now resolves default values when a nil key is specified, instead of always returning nil.

  Jonathan Hefner

Rails 6.1.0 (December 09, 2020)

• SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags call safe_list_sanitizer's class method

  Fixes #39586

  Taufiq Muhammadi

• Change form_with to generate non-remote forms by default.

  form_with would generate a remote form by default. This would confuse users because they were forced to handle remote requests.

  All new 6.1 applications will generate non-remote forms by default. When upgrading a 6.0 application you can enable remote forms by default by setting config.action_view.form_with_generates_remote_forms to true.

  Petrik de Heus

• Yield translated strings to calls of ActionView::FormBuilder#button when a block is given.

  Sean Doyle

Commits

• 5f3ff60 Preparing for 6.1.1 release
• 6a0b88e Merge pull request #40981 from mkasztelnik/40900-fix-lazy-translation-in-part...
• 4453888 Merge pull request #40897 from rails/backport-preload-links-header-config
• 0a29e14 Merge pull request #40946 from kylekeesling/master
• c55e32e Add config.action_view.preload_links_header option
• e4d5f89 Fix SELECT COUNT queries when rendering ActiveRecord collections (#40870)
• 80077d3 Merge pull request #40841 from Shopify/link-preload-integrity
• 472de76 Merge pull request #40788 from jonathanhefner/translate-nil-key
• 914caca Preparing for 6.1.0 release
• 5d2e693 Merge pull request #40168 from igor04/disable_with_and_automatically_disable_...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[proctoru-bot]

@dependabot-preview[bot], please add a Type label.

[dependabot-preview]

Superseded by #147.