railsadminteam
diff --git a/‎.rubocop_todo.yml‎
Lines changed: 1 addition & 1 deletion b/‎.rubocop_todo.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/views/rails_admin/main/index.html.erb‎
Lines changed: 2 additions & 2 deletions b/‎app/views/rails_admin/main/index.html.erb‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎spec/integration/actions/index_spec.rb‎
Lines changed: 21 additions & 8 deletions b/‎spec/integration/actions/index_spec.rb‎
Lines changed: 21 additions & 8 deletions
@@ -21,7 +21,7 @@ Lint/ReturnInVoidContext:
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
 # IgnoredMethods: refine
 Metrics/BlockLength:
- Max: 1107
+ Max: 1119
 
 # Offense count: 1
 # Configuration parameters: Max, CountKeywordArgs.
 
@@ -133,9 +133,9 @@
  <% end %>
  <% properties.map{ |property| property.bind(:object, object) }.each do |property| %>
  <% value = property.pretty_value %>
- <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= value %>">
+ <%= content_tag(:td, class: [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?), title: strip_tags(value.to_s)) do %>
  <%= value %>
- </td>
+ <% end %>
  <% end %>
  <td class="last links ra-sidescroll-frozen">
  <ul class="nav d-inline list-inline">
 
@@ -675,16 +675,29 @@
  expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
  end
 
- it 'does not allow XSS for title attribute' do
- RailsAdmin.config Team do
- list do
- field :name
+ describe 'with title attribute' do
+ it 'does not allow XSS' do
+ RailsAdmin.config Team do
+ list do
+ field :name
+ end
  end
+ @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+ visit index_path(model_name: 'team')
+ expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+ expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+ end
+
+ it 'does not break values with HTML tags' do
+ RailsAdmin.config Player do
+ list do
+ field :team
+ end
+ end
+ @player = FactoryBot.create :player, team: FactoryBot.create(:team)
+ visit index_path(model_name: 'player')
+ expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq @player.team.name
  end
- @team = FactoryBot.create :team, name: '" onclick="alert()" "'
- visit index_path(model_name: 'team')
- expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
- expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
  end
  end