Fix 32f91e4 broke fields with HTML tags

Refs. #3686 (comment), GHSA-8qgm-g2vv-vwvc
railsadminteam · Jul 9, 2024 · e3e9e8c · e3e9e8c · robinboening · Jul 9, 2024
1 parent 32f91e4
commit e3e9e8c
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 11 deletions.
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -21,7 +21,7 @@ Lint/ReturnInVoidContext:
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
 # IgnoredMethods: refine
 Metrics/BlockLength:
-  Max: 1107
+  Max: 1119
 
 # Offense count: 1
 # Configuration parameters: Max, CountKeywordArgs.

diff --git a/app/views/rails_admin/main/index.html.erb b/app/views/rails_admin/main/index.html.erb
@@ -133,9 +133,9 @@
               <% end %>
               <% properties.map{ |property| property.bind(:object, object) }.each do |property| %>
                 <% value = property.pretty_value %>
-                <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= value %>">
+                <%= content_tag(:td, class: [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?), title: strip_tags(value.to_s)) do %>
                   <%= value %>
-                </td>
+                <% end %>
               <% end %>
               <td class="last links ra-sidescroll-frozen">
                 <ul class="nav d-inline list-inline">

diff --git a/spec/integration/actions/index_spec.rb b/spec/integration/actions/index_spec.rb
@@ -675,16 +675,29 @@
       expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
     end
 
-    it 'does not allow XSS for title attribute' do
-      RailsAdmin.config Team do
-        list do
-          field :name
+    describe 'with title attribute' do
+      it 'does not allow XSS' do
+        RailsAdmin.config Team do
+          list do
+            field :name
+          end
         end
+        @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+        visit index_path(model_name: 'team')
+        expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+        expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+      end
+
+      it 'does not break values with HTML tags' do
+        RailsAdmin.config Player do
+          list do
+            field :team
+          end
+        end
+        @player = FactoryBot.create :player, team: FactoryBot.create(:team)
+        visit index_path(model_name: 'player')
+        expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq @player.team.name
       end
-      @team = FactoryBot.create :team, name: '" onclick="alert()" "'
-      visit index_path(model_name: 'team')
-      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
-      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
     end
   end