Disallow script execution by @rails/ujs

Mark Florianrequested to merge
336138-disallow-rails-ujs-script-execution into master

Disallow script execution by @rails/ujs

This adds and uses patch-package to remove the data-remote script executation behaviour of @rails/ujs.

Addresses #336138 (closed).

Draft

This is marked as draft, as it is blocked by !81300 (merged). Some rspec tests are failing as a result.

Notes

  • Now that !83826 (merged) / !84457 (merged) have merged, this is harder to verify locally, as raw CI artifacts are always served with a Content-Type of text/plain. Before that, the steps to verify locally would have been to create a CI job which creates a JS file, and then add a link tag in any page that points to the raw artifact, and add data-remote to it, then click it.
Edited by Mark Florian

Merge request reports