Merge branch 'main' into fix/boolean-group-broken-with-virtual-property

Gemfile.lock

@@ -115,7 +115,7 @@ GIT
 PATH
   remote: .
   specs:
-    avo (3.10.5)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -484,7 +484,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

app/components/avo/index/table_row_component.html.erb

@@ -42,7 +42,7 @@
     <% end %>
   <% end %>
   <% if Avo.configuration.resource_controls_on_the_right? %>
-    <td class="text-right whitespace-nowrap" data-control="resource-controls">
+    <td class="text-right whitespace-nowrap px-3" data-control="resource-controls">
       <div class="flex items-center justify-end flex-grow-0 h-full">
         <%= render resource_controls_component %>
       </div>

app/components/avo/resource_component.rb

@@ -50,8 +50,6 @@ def can_see_the_destroy_button?
   end
 
   def can_see_the_actions_button?
-    return false if @actions.blank?
-
     return authorize_association_for(:act_on) if @reflection.present?
 
     @resource.authorization.authorize_action(:act_on, raise_exception: false) && !has_reflection_and_is_read_only

gemfiles/rails_6.1_ruby_3.1.4.gemfile.lock

@@ -13,7 +13,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -415,7 +415,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

gemfiles/rails_6.1_ruby_3.3.0.gemfile.lock

@@ -13,7 +13,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -415,7 +415,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

gemfiles/rails_7.1_ruby_3.1.4.gemfile.lock

@@ -13,7 +13,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -446,7 +446,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

gemfiles/rails_7.1_ruby_3.3.0.gemfile.lock

@@ -13,7 +13,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -446,7 +446,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

gemfiles/rails_7.2.0.beta2_ruby_3.1.4.gemfile.lock

@@ -13,7 +13,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -442,7 +442,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

gemfiles/rails_7.2.0.beta2_ruby_3.3.0.gemfile.lock

@@ -13,7 +13,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -442,7 +442,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

gemfiles/rails_8.0_ruby_3.1.4.gemfile.lock

@@ -120,7 +120,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -453,7 +453,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

gemfiles/rails_8.0_ruby_3.3.0.gemfile.lock

@@ -120,7 +120,7 @@ PATH
 PATH
   remote: ..
   specs:
-    avo (3.10.2)
+    avo (3.10.6)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -453,7 +453,7 @@ GEM
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
-    rexml (3.3.1)
+    rexml (3.3.2)
       strscan
     ripper-tags (1.0.2)
     rspec-core (3.13.0)

lib/avo/concerns/pagination.rb

@@ -35,11 +35,13 @@ def apply_pagination(index_params:, query:)
           extra_pagy_params[:keep_filters_panel_open] = "0"
         end
 
+        data_turbo_frame = "data-turbo-frame=\"#{CGI.escapeHTML(params[:turbo_frame]) if params[:turbo_frame]}\""
+
         send PAGINATION_METHOD[pagination_type.to_sym],
           query,
           items: index_params[:per_page],
-          link_extra: "data-turbo-frame=\"#{params[:turbo_frame]}\"", # Add extra arguments in pagy 7.
-          anchor_string: "data-turbo-frame=\"#{params[:turbo_frame]}\"", # Add extra arguments in pagy 8.
+          link_extra: data_turbo_frame, # Add extra arguments in pagy 7.
+          anchor_string: data_turbo_frame, # Add extra arguments in pagy 8.
           params: extra_pagy_params,
           size: pagination_hash[:size]
       end

lib/avo/version.rb

@@ -1,3 +1,3 @@
 module Avo
-  VERSION = "3.10.5" unless const_defined?(:VERSION)
+  VERSION = "3.10.6" unless const_defined?(:VERSION)
 end

package.json

@@ -64,7 +64,7 @@
     "luxon": "^3.4.4",
     "mapkick": "^0.2.6",
     "mousetrap": "^1.6.5",
-    "postcss": "^8.4.38",
+    "postcss": "^8.4.39",
     "postcss-flexbugs-fixes": "^5.0.2",
     "postcss-import": "^15.1.0",
     "postcss-loader": "^7.3.4",

spec/system/avo/app_spec.rb

@@ -67,4 +67,18 @@
       }.to change(Project, :count).by(-1)
     end
   end
+
+  describe "security", js: true do
+    let!(:projects) { create_list :project, 2 }
+
+    it "xss in turbo frames 1" do
+      visit "/admin/resources/projects?per_page=1&turbo_frame=has_many_field_show_test_xgc2pf%22%3e%3cscript%3ealert(1)%3c%2fscript%3ep9sk5"
+      expect { accept_alert }.to raise_error(Capybara::ModalNotFound)
+    end
+
+    it "xss in turbo frames 2" do
+      visit '/admin/resources/projects?per_page=1&turbo_frame=has_many_field_show_test_xgc2pf><script>alert("XSS")<%2Fscript>p9sk5'
+      expect { accept_alert }.to raise_error(Capybara::ModalNotFound)
+    end
+  end
 end

yarn.lock

@@ -3882,6 +3882,11 @@ picocolors@^1.0.0:
   resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-1.0.0.tgz#cb5bdc74ff3f51892236eaf79d68bc44564ab81c"
   integrity sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==
 
+picocolors@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/picocolors/-/picocolors-1.0.1.tgz#a8ad579b571952f0e5d25892de5445bcfe25aaa1"
+  integrity sha512-anP1Z8qwhkbmu7MFP5iTt+wQKXgwzf7zTyGlcdzabySa9vd0Xt392U0rVmz9poOaBj0uHJKyyo9/upk0HrEQew==
+
 picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.3.1:
   version "2.3.1"
   resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42"
@@ -4277,13 +4282,13 @@ postcss@^8.4.33:
     picocolors "^1.0.0"
     source-map-js "^1.0.2"
 
-postcss@^8.4.38:
-  version "8.4.38"
-  resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.38.tgz#b387d533baf2054288e337066d81c6bee9db9e0e"
-  integrity sha512-Wglpdk03BSfXkHoQa3b/oulrotAkwrlLDRSOb9D0bN86FdRyE9lppSp33aHNPgBa0JKCoB+drFLZkQoRRYae5A==
+postcss@^8.4.39:
+  version "8.4.39"
+  resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.39.tgz#aa3c94998b61d3a9c259efa51db4b392e1bde0e3"
+  integrity sha512-0vzE+lAiG7hZl1/9I8yzKLx3aR9Xbof3fBHKunvMfOCYAtMhrsnccJY2iTURb9EZd5+pLuiNV9/c/GZJOHsgIw==
   dependencies:
     nanoid "^3.3.7"
-    picocolors "^1.0.0"
+    picocolors "^1.0.1"
     source-map-js "^1.2.0"
 
 preact@^10.13.2: