Unless I'm mistaken, there is a serious XSS vulnerability in the treatment of text fields in the show template. The formatted_value is marked as html_safe even though there's no guarantee that it actually is safe. Wrapping it in <pre> tags does nothing to make it safe. The problem was introduced by e37098d. I currently have no suggestions other than to correct this immediately as I don't know anything about bootstrap-wysihtml5.
I'm not usually one to bump my own issue but this should really be ringing alarm bells. It allows regular users to potentially gain access to RailsAdmin with very little effort.
Revert assuming text field as html_safe. Closes #1391
I've completely missed this issue when I've merged that commit in.
Thanks for pointing out and alarming us!