diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index f701fb220d..2c5ad0b10d 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -21,7 +21,7 @@ Lint/ReturnInVoidContext:
# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
# IgnoredMethods: refine
Metrics/BlockLength:
- Max: 1097
+ Max: 1107
# Offense count: 1
# Configuration parameters: Max, CountKeywordArgs.
diff --git a/app/views/rails_admin/main/index.html.erb b/app/views/rails_admin/main/index.html.erb
index 18281e4314..76c2f9f62f 100644
--- a/app/views/rails_admin/main/index.html.erb
+++ b/app/views/rails_admin/main/index.html.erb
@@ -133,7 +133,7 @@
<% end %>
<% properties.map{ |property| property.bind(:object, object) }.each do |property| %>
<% value = property.pretty_value %>
- |
+ |
<%= value %>
|
<% end %>
diff --git a/spec/integration/actions/index_spec.rb b/spec/integration/actions/index_spec.rb
index 44ba1d44ca..989dee9ae7 100644
--- a/spec/integration/actions/index_spec.rb
+++ b/spec/integration/actions/index_spec.rb
@@ -674,6 +674,18 @@
visit index_path(model_name: 'team')
expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
end
+
+ it 'does not allow XSS for title attribute' do
+ RailsAdmin.config Team do
+ list do
+ field :name
+ end
+ end
+ @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+ visit index_path(model_name: 'team')
+ expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+ expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+ end
end
context 'when no record exists' do