It seems possible to inject Javascript code through associations. I have a model in Mongo with embedded documents. Below is an example with javascript in the fields.
{
"_id" : ObjectId("001"),
"name" : "\"><img src=x onerror=prompt(3)>",
"profiles" : [
{
"_id" : ObjectId("002"),
"contact" : "\"><img src=x onerror=prompt(4)>",
"name" : "\"><img src=x onerror=prompt(6)>",
"notes" : "\"><img src=x onerror=prompt(5)>",
"updated_at" : ISODate("2015-06-23T10:15:12.279Z")
}
]
}
Upon viewing or editing the '001' document in rails_admin, a Javascript popup is shown with the value 6. It seems this value is used in several places, both under "show" and "edit" where it is used as tab title.
Simply removing the trailing .html_safe call in lib/rails_admin/config/fields/association.rb:pretty_value obviously breaks existing functionality.
It seems possible to inject Javascript code through associations. I have a model in Mongo with embedded documents. Below is an example with javascript in the fields.
Upon viewing or editing the '001' document in rails_admin, a Javascript popup is shown with the value 6. It seems this value is used in several places, both under "show" and "edit" where it is used as tab title.
Simply removing the trailing .html_safe call in lib/rails_admin/config/fields/association.rb:pretty_value obviously breaks existing functionality.