From d84b39884059c4ed50197cec8522cca029a17673 Mon Sep 17 00:00:00 2001
From: Mitsuhiro Shibuya <mit.shibuya@gmail.com>
Date: Sat, 6 Jul 2024 15:04:10 +0900
Subject: [PATCH] Fix XSS vulnerability in the list view

Refs. https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc
---
 app/views/rails_admin/main/index.html.haml |  2 +-
 spec/integration/actions/index_spec.rb     | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/app/views/rails_admin/main/index.html.haml b/app/views/rails_admin/main/index.html.haml
index 21bd89d457..2ce1314d9f 100644
--- a/app/views/rails_admin/main/index.html.haml
+++ b/app/views/rails_admin/main/index.html.haml
@@ -103,7 +103,7 @@
               %td.other.left= link_to "...", @other_left_link, class: 'pjax'
             - properties.map{ |property| property.bind(:object, object) }.each do |property|
               - value = property.pretty_value
-              %td{class: "#{property.css_class} #{property.type_css_class}", title: strip_tags(value.to_s)}= value
+              %td{class: "#{property.css_class} #{property.type_css_class}", title: value}= value
             - if @other_right_link ||= other_right && index_path(params.merge(set: (params[:set].to_i + 1)))
               %td.other.right= link_to "...", @other_right_link, class: 'pjax'
             - unless frozen_columns
diff --git a/spec/integration/actions/index_spec.rb b/spec/integration/actions/index_spec.rb
index 1298950098..034d0ce960 100644
--- a/spec/integration/actions/index_spec.rb
+++ b/spec/integration/actions/index_spec.rb
@@ -654,6 +654,18 @@
       visit index_path(model_name: 'team')
       expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
     end
+
+    it 'does not allow XSS for title attribute' do
+      RailsAdmin.config Team do
+        list do
+          field :name
+        end
+      end
+      @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+      visit index_path(model_name: 'team')
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+    end
   end
 
   context 'without pagination' do