Fix XSS vulnerability in the list view

Refs. GHSA-8qgm-g2vv-vwvc
railsadminteam · Jul 6, 2024 · d84b398 · d84b398
1 parent e066c4f
commit d84b398
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/app/views/rails_admin/main/index.html.haml b/app/views/rails_admin/main/index.html.haml
@@ -103,7 +103,7 @@
  %td.other.left= link_to "...", @other_left_link, class: 'pjax'
  - properties.map{ |property| property.bind(:object, object) }.each do |property|
  - value = property.pretty_value
- %td{class: "#{property.css_class} #{property.type_css_class}", title: strip_tags(value.to_s)}= value
+ %td{class: "#{property.css_class} #{property.type_css_class}", title: value}= value
  - if @other_right_link ||= other_right && index_path(params.merge(set: (params[:set].to_i + 1)))
  %td.other.right= link_to "...", @other_right_link, class: 'pjax'
  - unless frozen_columns

diff --git a/spec/integration/actions/index_spec.rb b/spec/integration/actions/index_spec.rb
@@ -654,6 +654,18 @@
  visit index_path(model_name: 'team')
  expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
  end
+
+ it 'does not allow XSS for title attribute' do
+ RailsAdmin.config Team do
+ list do
+ field :name
+ end
+ end
+ @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+ visit index_path(model_name: 'team')
+ expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+ expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+ end
  end
 
  context 'without pagination' do