Update dependency rails_admin to v3.1.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
rails_admin (source)	3.0.0 -> 3.1.3

GitHub Vulnerability Alerts

CVE-2024-39308

Impact

RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute.
The issue was originally reported in https://github.com/railsadminteam/rails_admin/issues/3686.

Patches

Upgrade to 3.1.3 or 2.3.0.

Workarounds

1. Copy the index view (located under the path app/views/rails_admin/main/index.html.erb) from the RailsAdmin version you use, and place it into your application by using the same path.
2. Open the view file by an editor, and remove strip_tags from the title attribute:

               <% properties.map{ |property| property.bind(:object, object) }.each do |property| %>
                 <% value = property.pretty_value %>
-                <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= strip_tags(value.to_s) %>">
+                <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= value %>">
                   <%= value %>
                 </td>
               <% end %>

Note: The view file created by this needs to be removed after upgrading RailsAdmin afterwards, unless this old view continue to be used. Only do this if you can't upgrade RailsAdmin now for a reason.

References

https://owasp.org/www-community/attacks/xss/
https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-strip_tags

---

Release Notes

sferik/rails_admin (rails_admin)

v3.1.3

Compare Source

v3.1.2

Compare Source

Full Changelog

Fixed

• Fix install failing with importmap setup (aca22b6, #​3609)
• Fix to show non-eager-loaded models which are explicitly configured (87c9d5b, #​3604)
• Fix rails_admin.dom_ready event not triggered with jQuery on (2ee43de, 33773d7, #​3600)
• Restore caching in RailsAdmin::Config::Model#excluded? (#​3587)
• Optimize/simplify viable_models file path to class name logic (#​3589)

v3.1.1

Compare Source

Full Changelog

Changed

• Relax Font-Awesome dependency to allow Webpacker users to stay on 5.x (3a7f348, #​3565)

Removed

• Remove unused glphyicon assets (#​3578)

Fixed

• Simplify uses of defined? (#​3561)
• Define jQuery object in separate file to support esbuild (#​3571)
• Fix filter box being duplicated on browser back (c6b1893, #​3570)
• Fix sidebar menu expanding horizontally, preventing vertical scroll (9997c10, #​3564)

v3.1.0

Compare Source

Full Changelog

Fixed

• Fix to use defer instead of async to ensure script loading order (2a40976, #​3513)
• Improve filter method select box appearance (#​3559)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.