From 99a052adcc76714af098f42e4386a18123a58c21 Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Thu, 8 Jan 2026 10:17:03 -0500
Subject: [PATCH 1/2] GHSA SYNC: 1 brand new advisory + CI fix

---
 gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml | 36 +++++++++++++++++++
 spec/spec_helper.rb                           |  8 +++++
 2 files changed, 44 insertions(+)
 create mode 100644 gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml

diff --git a/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml b/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
new file mode 100644
index 0000000000..8b39469a3d
--- /dev/null
+++ b/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
@@ -0,0 +1,36 @@
+---
+gem: action_text-trix
+ghsa: g9jg-w8vm-g96v
+url: https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
+title: Trix has a stored XSS vulnerability through its attachment attribute
+date: 2025-12-31
+description: |
+  ### Impact
+
+  The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS
+  attacks through attachment payloads.
+
+  An attacker could inject malicious code into a data-trix-attachment
+  attribute that, when rendered as HTML and clicked on, could execute
+  arbitrary JavaScript code within the context of the user's session,
+  potentially leading to unauthorized actions being performed or
+  sensitive information being disclosed.
+
+  ### Patches
+
+  Update Recommendation: Users should upgrade to Trix editor
+  version 2.1.16 or later.
+
+  ### Resources
+
+  The XSS vulnerability was reported by HackerOne researcher
+  [michaelcheers](https://hackerone.com/michaelcheers?type=user).
+cvss_v3: 4.6
+patched_versions:
+  - ">= 2.1.16"
+related:
+  url:
+    - https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
+    - https://github.com/basecamp/trix/releases/tag/v2.1.16
+    - https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
+    - https://github.com/advisories/GHSA-g9jg-w8vm-g96v
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index ab66791556..885d3fff1c 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,3 +1,11 @@
+require 'strscan'
+
+class StringScanner
+  def peep(len)
+    peek(len)
+  end
+end
+
 require 'date'
 require 'kwalify'
 require 'rspec'

From db9617ee19347641f84089c0079174236e4306f0 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Thu, 8 Jan 2026 15:47:48 -0500
Subject: [PATCH 2/2] Remove StringScanner class and peep method

Removed StringScanner class and its peep method.
---
 spec/spec_helper.rb | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 885d3fff1c..ab66791556 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,11 +1,3 @@
-require 'strscan'
-
-class StringScanner
-  def peep(len)
-    peek(len)
-  end
-end
-
 require 'date'
 require 'kwalify'
 require 'rspec'