Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StringLike field with quotes breaks out of title #3686

Closed
DRSisco opened this issue Jun 11, 2024 · 4 comments
Closed

StringLike field with quotes breaks out of title #3686

DRSisco opened this issue Jun 11, 2024 · 4 comments

Comments

@DRSisco
Copy link

DRSisco commented Jun 11, 2024

Describe the bug

Storing content in a field that contains quotes results in only the content before the first quote is in the title. The rest of the content is stored in the tag as individual attributes.

We noticed this when the word hidden was stored after a quote, which resulted in the cell being hidden and the rest of the row shifting to the left.

Reproduction steps

  • For a given record with a StringLike field:
    • Put the content Example "text" hidden in the field.
    • View the index page that contains this model/field.

Expected behavior

  • The content should show (with ellipsis if necessary based on space), and the title should represent the whole field escaping quotes with "

Additional context

  • rails version: 7.1.3
  • rails_admin version: 3.0.0.beta2
@mshibuya
Copy link
Member

mshibuya commented Jul 6, 2024

I realized that this issue lead to an XSS vulnerability, so I've published a security advisory: GHSA-8qgm-g2vv-vwvc
I recommend upgrading to the latest release 3.1.3, as soon as possible. Also fixed in the master: 32f91e4

Thank you for giving the valuable report 👍

@mshibuya mshibuya closed this as completed Jul 6, 2024
@q3aiml
Copy link
Contributor

q3aiml commented Jul 8, 2024
edited
Loading

@mshibuya thank you for your work on this!

When trying 3.1.3 with this change I am seeing unescaped HTML tags in the title attribute. The field value does appear properly escaped -- it is the HTML from pretty_value in rails admin that is unescaped and no longer stripped out.

For example on booleans:

image

<td class="flag1_field boolean_type" title="<span class="badge bg-danger"><span class="fas fa-times"></span></span>">
  <span class="badge bg-danger"><span class="fas fa-times"></span></span>
</td>

Or associations:

image

<td class="user_field belongs_to_association_type" title="<a href="/admin/user/00000000-0000-0000-0000-000000000000">Test User1</a>">
  <a href="/admin/user/00000000-0000-0000-0000-000000000000">Test User1</a>
</td>
  • rails version: 7.0.8.4
  • rails_admin version: 3.1.3

mshibuya added a commit that referenced this issue Jul 9, 2024
@mshibuya
Fix 32f91e4 broke fields with HTML tags
9335903 
Refs. #3686 (comment)
@mshibuya
Copy link
Member

mshibuya commented Jul 9, 2024

@q3aiml So sorry for the issue, I messed up 🙇‍♂️
I'm preparing for another release now.

mshibuya added a commit that referenced this issue Jul 9, 2024
@mshibuya
Fix 32f91e4 broke fields with HTML tags
e3e9e8c 
Refs. #3686 (comment), GHSA-8qgm-g2vv-vwvc
mshibuya added a commit that referenced this issue Jul 9, 2024
@mshibuya
Fix 32f91e4 broke fields with HTML tags
758d249 
Refs. #3686 (comment), GHSA-8qgm-g2vv-vwvc
mshibuya added a commit that referenced this issue Jul 9, 2024
@mshibuya
Revert "Fix XSS vulnerability in the list view"
34d8431 
This reverts commit d84b398.
Because it's causing a functional issue, as well as being unnecessary.
Refs. #3686 (comment)
@mshibuya
Copy link
Member

mshibuya commented Jul 9, 2024

Released 3.1.4. Please give it a try, and if you see any issue please let me know 🙇‍♂️

@Lyams Lyams mentioned this issue Nov 19, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mshibuya @q3aiml @DRSisco