Disallow script execution by @rails/ujs
Disallow script execution by @rails/ujs
This adds and uses patch-package
to remove the data-remote
script
executation behaviour of @rails/ujs
.
Addresses #336138 (closed).
Draft
This is marked as draft, as it is blocked by !81300 (merged). Some rspec tests are failing as a result.
Notes
- Now that !83826 (merged) / !84457 (merged) have merged, this is harder to verify locally, as raw CI artifacts are always served with a
Content-Type
oftext/plain
. Before that, the steps to verify locally would have been to create a CI job which creates a JS file, and then add a link tag in any page that points to the raw artifact, and adddata-remote
to it, then click it.
Edited by Mark Florian