Hi, Wojtek here. Let’s quickly look at a few of this week’s fixes.
Validate URI scheme in Action Text markdown link conversion
Add a Rails::HTML::Sanitizer.allowed_uri? check to markdown_link. When the URI scheme is disallowed, return the escaped title wrapped in escaped brackets (\[title\]) instead of emitting a link.
Example: <action-text-attachment url="data:text/html,PAYLOAD"> previously produced  in markdown output. Now it produces \[Image\].
Restore previous instrumenter after execute_or_skip
Fix by saving and restoring the previous instrumenter value around the EventBuffer’s lifetime. On background threads, this is a no-op (saves nil, restores nil). On the caller thread via caller_runs, it restores the real instrumenter and prevents contamination.
Optimize generated Dockerfile build performance
Reduces number of docker build layers.
Fix parsing SQLite virtual tables without parenthesis
Previously running bin/rails db:migrate with virtual tables crashed the schema dumper, which produced a broken db/schema.rb file.
You can view the whole list of changes here.
We had 14 contributors to the Rails codebase this past week!
Until next time!
Subscribe to get these updates mailed to you.