Disallow script execution by @rails/ujs (!86799) · Merge requests · GitLab.org / GitLab

Disallow script execution by @rails/ujs

This adds and uses patch-package to remove the data-remote script executation behaviour of @rails/ujs.

Draft

~~This is marked as draft, as it is blocked by !81300 (merged). Some rspec tests are failing as a result.~~

Now that !83826 (merged) / !84457 (merged) have merged, this is harder to verify locally, as raw CI artifacts are always served with a Content-Type of text/plain. Before that, the steps to verify locally would have been to create a CI job which creates a JS file, and then add a link tag in any page that points to the raw artifact, and add data-remote to it, then click it.

Edited May 25, 2022 by Mark Florian