Rails 7.2.3 (October 28, 2025)

• No changes.

Rails 7.2.2.2 (August 13, 2025)

• No changes.

Rails 7.2.2.1 (December 10, 2024)

• Update vendored trix version to 2.1.10

  John Hawthorn

Rails 7.2.2 (October 30, 2024)

• No changes.

Rails 7.2.1.2 (October 23, 2024)

• No changes.

Rails 7.2.1.1 (October 15, 2024)

• Avoid backtracing in plain_text_for_blockquote_node

  [CVE-2024-47888]

  John Hawthorn

Rails 7.2.1 (August 22, 2024)

• Strip content attribute if the key is present but the value is empty

  Jeremy Green

Rails 7.2.0 (August 09, 2024)

• Only sanitize content attribute when present in attachments.

  Petrik de Heus

• Sanitize ActionText HTML ContentAttachment in Trix edit view [CVE-2024-32464]

  Aaron Patterson, Zack Deveau

• Use includes instead of eager_load for with_all_rich_text.

  Petrik de Heus

• Delegate ActionText::Content#deconstruct to Nokogiri::XML::DocumentFragment#elements.

  content = ActionText::Content.new <<~HTML
    <h1>Hello, world</h1>
  
    <div>The body</div>
  HTML
  
  content => [h1, div]
  
  assert_pattern { h1 => { content: "Hello, world" } }
  assert_pattern { div => { content: "The body" } }

  Sean Doyle

• Fix all Action Text database related models to respect ActiveRecord::Base.table_name_prefix configuration.

  Chedli Bourguiba

• Compile ESM package that can be used directly in the browser as actiontext.esm.js

  Matias Grunberg

• Fix using actiontext.js with Sprockets.

  Matias Grunberg

• Upgrade Trix to 2.0.7

  Hartley McGuire

• Fix using Trix with Sprockets.

  Hartley McGuire

Please check [7-1-stable]) for previous changes.