Revert "Fix XSS vulnerability in the list view"

mshibuya · mshibuya · commit 34d8431efbe4 · 2024-07-09T16:09:06.000+09:00
This reverts commit d84b398. Because it's causing a functional issue, as well as being unnecessary. Refs. #3686 (comment)
diff --git a/app/views/rails_admin/main/index.html.haml b/app/views/rails_admin/main/index.html.haml
@@ -103,7 +103,7 @@
               %td.other.left= link_to "...", @other_left_link, class: 'pjax'
             - properties.map{ |property| property.bind(:object, object) }.each do |property|
               - value = property.pretty_value
-              %td{class: "#{property.css_class} #{property.type_css_class}", title: value}= value
+              %td{class: "#{property.css_class} #{property.type_css_class}", title: strip_tags(value.to_s)}= value
             - if @other_right_link ||= other_right && index_path(params.merge(set: (params[:set].to_i + 1)))
               %td.other.right= link_to "...", @other_right_link, class: 'pjax'
             - unless frozen_columns
diff --git a/spec/integration/actions/index_spec.rb b/spec/integration/actions/index_spec.rb
@@ -654,18 +654,6 @@
       visit index_path(model_name: 'team')
       expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
     end
-
-    it 'does not allow XSS for title attribute' do
-      RailsAdmin.config Team do
-        list do
-          field :name
-        end
-      end
-      @team = FactoryBot.create :team, name: '" onclick="alert()" "'
-      visit index_path(model_name: 'team')
-      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
-      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
-    end
   end
 
   context 'without pagination' do
