Fix XSS vulnerability in the list view

Refs. GHSA-8qgm-g2vv-vwvc

Author: mshibuya

.rubocop_todo.yml

@@ -21,7 +21,7 @@ Lint/ReturnInVoidContext:
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
 # IgnoredMethods: refine
 Metrics/BlockLength:
-  Max: 1097
+  Max: 1107
 
 # Offense count: 1
 # Configuration parameters: Max, CountKeywordArgs.

app/views/rails_admin/main/index.html.erb

@@ -133,7 +133,7 @@
               <% end %>
               <% properties.map{ |property| property.bind(:object, object) }.each do |property| %>
                 <% value = property.pretty_value %>
-                <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= strip_tags(value.to_s) %>">
+                <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= value %>">
                   <%= value %>
                 </td>
               <% end %>

spec/integration/actions/index_spec.rb

@@ -674,6 +674,18 @@
       visit index_path(model_name: 'team')
       expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
     end
+
+    it 'does not allow XSS for title attribute' do
+      RailsAdmin.config Team do
+        list do
+          field :name
+        end
+      end
+      @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+      visit index_path(model_name: 'team')
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+    end
   end
 
   context 'when no record exists' do