Update dependency jquery-ui-rails to v7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jquery-ui-rails	'6.0.1' -> '7.0.0'

GitHub Vulnerability Alerts

CVE-2021-41182

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41183

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2021-41184

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

---

Release Notes

joliss/jquery-ui-rails (jquery-ui-rails)

v7.0.0

Compare Source

• Update to jQuery UI 1.13.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

[11:31:58.754] INFO (71): Installing tool [email protected]...
installing v2 tool ruby v3.0.3
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz
[11:32:00.413] INFO (139): Downloading file ...
    url: "https://github.com/containerbase/ruby-prebuild/releases/download/3.0.3/ruby-3.0.3-jammy-x86_64.tar.xz"
    output: "/tmp/renovate/cache/containerbase/500bb85aafd22fa0602ae4677b8244140f70593fdf1f82434c353a72ed783ac4/ruby-3.0.3-jammy-x86_64.tar.xz"
[11:32:00.493] ERROR (139): Response code 404 (Not Found)
[11:32:00.494] FATAL (139): Download failed in 81ms.
[11:32:00.565] ERROR (71): Command failed with exit code 1: /usr/local/containerbase/bin/install-tool.sh ruby 3.0.3
[11:32:00.565] FATAL (71): Install tool ruby failed in 1.8s.