security: prevent xss in pagination params (#2990)

* security: prevent xss in turbo frames

* wip

* wip

* wip

* use CGI.escapeHTML

* test and fix when params[:turbo_frame] is nil

---------

Co-authored-by: Paul Bob <[email protected]>

lib/avo/concerns/pagination.rb

@@ -35,11 +35,13 @@ def apply_pagination(index_params:, query:)
           extra_pagy_params[:keep_filters_panel_open] = "0"
         end
 
+        data_turbo_frame = "data-turbo-frame=\"#{CGI.escapeHTML(params[:turbo_frame]) if params[:turbo_frame]}\""
+
         send PAGINATION_METHOD[pagination_type.to_sym],
           query,
           items: index_params[:per_page],
-          link_extra: "data-turbo-frame=\"#{params[:turbo_frame]}\"", # Add extra arguments in pagy 7.
-          anchor_string: "data-turbo-frame=\"#{params[:turbo_frame]}\"", # Add extra arguments in pagy 8.
+          link_extra: data_turbo_frame, # Add extra arguments in pagy 7.
+          anchor_string: data_turbo_frame, # Add extra arguments in pagy 8.
           params: extra_pagy_params,
           size: pagination_hash[:size]
       end

spec/system/avo/app_spec.rb

@@ -67,4 +67,18 @@
       }.to change(Project, :count).by(-1)
     end
   end
+
+  describe "security", js: true do
+    let!(:projects) { create_list :project, 2 }
+
+    it "xss in turbo frames 1" do
+      visit "/admin/resources/projects?per_page=1&turbo_frame=has_many_field_show_test_xgc2pf%22%3e%3cscript%3ealert(1)%3c%2fscript%3ep9sk5"
+      expect { accept_alert }.to raise_error(Capybara::ModalNotFound)
+    end
+
+    it "xss in turbo frames 2" do
+      visit '/admin/resources/projects?per_page=1&turbo_frame=has_many_field_show_test_xgc2pf><script>alert("XSS")<%2Fscript>p9sk5'
+      expect { accept_alert }.to raise_error(Capybara::ModalNotFound)
+    end
+  end
 end