angular_xss 0.1.0

data/.gitignore

@@ -0,0 +1,5 @@
+doc
+pkg
+*.gem
+.idea
+spec/*/log/*

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Henning Koch
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,43 @@
+angular_xss
+===========
+
+When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`).
+
+This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with ` { { `.
+
+**This is an unsatisfactory hack.** A better solution is very much desired, but might not be possible without significant refactoring of AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
+
+
+Installation
+------------
+
+0. Read the code so you know what you're getting into.
+
+1. Put this into your Gemfile **after other templating engines** like Haml or Erubis:
+
+    gem 'angular_xss' # put me after Haml, Erubis and other templating engines
+
+2. Run `bundle install`.
+
+3. Run your test suite to find the places that broke.
+
+4. Mark any string that is allowed to contain Angular expressions as `#html_safe`.
+
+
+Known issues
+------------
+- Requires Haml. Could be refactored to only patch ERB/rails_xss.
+
+
+Development
+-----------
+
+- Fork the repository.
+- Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
+- Send a pull request.
+
+
+Credits
+-------
+
+[Henning Koch](mailto:henning.koch@makandra.de) from [makandra](http://makandra.com/).

data/Rakefile

@@ -0,0 +1,62 @@
+require 'rake'
+require 'bundler/gem_tasks'
+
+desc 'Default: Run all specs.'
+task :default => 'all:spec'
+
+
+namespace :travis do
+  
+  desc 'Run tests on Travis CI'
+  task :run => ['slimgems', 'all:bundle:install', 'all:spec']
+
+  desc 'Install slimgems'
+  task :slimgems do
+    system('gem install slimgems')
+  end
+
+end
+
+namespace :all do
+
+  desc "Run specs on all spec apps"
+  task :spec do
+    success = true
+    for_each_directory_of('spec/**/Rakefile') do |directory|
+      env = "SPEC=../../#{ENV['SPEC']} " if ENV['SPEC']
+      success &= system("cd #{directory} && #{env} bundle exec rake spec")
+    end
+    fail "Tests failed" unless success
+  end
+
+  namespace :bundle do
+
+    desc "Bundle all spec apps"
+    task :install do
+      for_each_directory_of('spec/**/Gemfile') do |directory|
+        Bundler.with_clean_env do
+          system("cd #{directory} && bundle install")
+        end
+      end
+    end
+
+    desc "Update all gems, or a list of gem given by the GEM environment variable"
+    task :update do
+      for_each_directory_of('spec/**/Gemfile') do |directory|
+        Bundler.with_clean_env do
+          system("cd #{directory} && bundle update #{ENV['GEM']}")
+        end
+      end
+    end
+
+  end
+
+end
+
+def for_each_directory_of(path, &block)
+  Dir[path].sort.each do |rakefile|
+    directory = File.dirname(rakefile)
+    puts '', "\033[44m#{directory}\033[0m", ''
+    block.call(directory)
+  end
+end

data/assignable_values.gemspec

@@ -0,0 +1,20 @@
+$:.push File.expand_path("../lib", __FILE__)
+require "angular_xss/version"
+
+Gem::Specification.new do |s|
+  s.name = 'angular_xss'
+  s.version = AngularXss::VERSION
+  s.authors = ["Henning Koch"]
+  s.email = 'henning.koch@makandra.de'
+  s.homepage = 'https://github.com/makandra/angular_xss'
+  s.summary = 'Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.'
+  s.description = s.summary
+  s.license = 'MIT'
+
+  s.files         = `git ls-files`.split($\)
+  s.test_files    = s.files.grep(%r{^spec/})
+  s.require_paths = ["lib"]
+
+  s.add_dependency('activesupport')
+  s.add_dependency('haml')
+end

data/lib/angular_xss.rb

@@ -0,0 +1,5 @@
+#"string".respond_to?(:html_safe?) or raise "No rails_xss implementation present"
+
+require 'angular_xss/escaper'
+require 'angular_xss/erb'
+require 'angular_xss/haml'

data/lib/angular_xss/erb.rb

@@ -0,0 +1,25 @@
+# Use module_eval so we crash when ERB::Util has not yet been loaded.
+ERB::Util.module_eval do
+
+  def html_escape_with_escaping_angular_expressions(s)
+    s = s.to_s
+    if s.html_safe?
+      s
+    else
+      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
+    end
+  end
+
+  alias_method_chain :html_escape, :escaping_angular_expressions
+
+  # Aliasing twice issues a warning "discarding old...". Remove first to avoid it.
+  remove_method(:h)
+  alias h html_escape
+
+  module_function :h
+
+  singleton_class.send(:remove_method, :html_escape)
+  module_function :html_escape
+  module_function :html_escape_without_escaping_angular_expressions
+
+end

data/lib/angular_xss/escaper.rb

@@ -0,0 +1,10 @@
+module AngularXss
+  class Escaper
+
+    def self.escape(string)
+      string.gsub('{{', ' { { ')
+    end
+
+  end
+end
+

data/lib/angular_xss/haml.rb

@@ -0,0 +1,15 @@
+# Use module_eval so we crash when Haml::Helpers has not yet been loaded.
+Haml::Helpers.module_eval do
+
+  def html_escape_with_escaping_angular_expressions(s)
+    s = s.to_s
+    if s.html_safe?
+      s
+    else
+      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
+    end
+  end
+
+  alias_method_chain :html_escape, :escaping_angular_expressions
+
+end

data/lib/angular_xss/version.rb

@@ -0,0 +1,3 @@
+module AngularXss
+  VERSION = '0.1.0'
+end

data/spec/rails-2.3/Gemfile

@@ -0,0 +1,10 @@
+source 'http://rubygems.org'
+
+gem 'sqlite3'
+gem 'rails', '~>2.3.10'
+gem 'rspec', '<2'
+gem 'rspec-rails', '<2'
+gem 'rspec_candy'
+gem 'haml', '=3.0.25'
+gem 'rails_xss'
+gem 'angular_xss', :path => '../..'

data/spec/rails-2.3/Gemfile.lock

@@ -0,0 +1,56 @@
+PATH
+  remote: ../..
+  specs:
+    angular_xss (0.1.0)
+      activesupport
+      haml
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (2.3.18)
+      actionpack (= 2.3.18)
+    actionpack (2.3.18)
+      activesupport (= 2.3.18)
+      rack (~> 1.1.0)
+    activerecord (2.3.18)
+      activesupport (= 2.3.18)
+    activeresource (2.3.18)
+      activesupport (= 2.3.18)
+    activesupport (2.3.18)
+    erubis (2.7.0)
+    haml (3.0.25)
+    rack (1.1.6)
+    rails (2.3.18)
+      actionmailer (= 2.3.18)
+      actionpack (= 2.3.18)
+      activerecord (= 2.3.18)
+      activeresource (= 2.3.18)
+      activesupport (= 2.3.18)
+      rake (>= 0.8.3)
+    rails_xss (0.5.1)
+      erubis (>= 2.6.5)
+    rake (10.1.1)
+    rspec (1.3.2)
+    rspec-rails (1.3.4)
+      rack (>= 1.0.0)
+      rspec (~> 1.3.1)
+    rspec_candy (0.3.1)
+      rspec
+      sneaky-save
+    sneaky-save (0.0.2)
+      activerecord (>= 2.3.2)
+    sqlite3 (1.3.8)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  angular_xss!
+  haml (= 3.0.25)
+  rails (~> 2.3.10)
+  rails_xss
+  rspec (< 2)
+  rspec-rails (< 2)
+  rspec_candy
+  sqlite3

data/spec/rails-2.3/Rakefile

@@ -0,0 +1,11 @@
+require 'rake'
+require 'spec/rake/spectask'
+
+desc 'Default: Run all specs for a specific rails version.'
+task :default => :spec
+
+desc "Run all specs for a specific rails version"
+Spec::Rake::SpecTask.new() do |t|
+  t.spec_opts = ['--options', "\"spec.opts\""]
+  t.spec_files = defined?(SPEC) ? SPEC : FileList['**/*_spec.rb', '../shared/**/*_spec.rb']
+end

data/spec/rails-2.3/app_root/config/boot.rb

@@ -0,0 +1,129 @@
+# Allow customization of the rails framework path
+RAILS_FRAMEWORK_ROOT = (ENV['RAILS_FRAMEWORK_ROOT'] || "#{File.dirname(__FILE__)}/../../../../../../vendor/rails") unless defined?(RAILS_FRAMEWORK_ROOT) 
+
+# Don't change this file!
+# Configure your app in config/environment.rb and config/environments/*.rb
+
+RAILS_ROOT = "#{File.dirname(__FILE__)}/.." unless defined?(RAILS_ROOT)
+
+module Rails
+  class << self
+    def boot!
+      unless booted?
+        preinitialize
+        pick_boot.run
+      end
+    end
+
+    def booted?
+      defined? Rails::Initializer
+    end
+
+    def pick_boot
+      (vendor_rails? ? VendorBoot : GemBoot).new
+    end
+
+    def vendor_rails?
+      File.exist?(RAILS_FRAMEWORK_ROOT)
+    end
+
+    def preinitialize
+      load(preinitializer_path) if File.exist?(preinitializer_path)
+    end
+
+    def preinitializer_path
+      "#{RAILS_ROOT}/config/preinitializer.rb"
+    end
+  end
+
+  class Boot
+    def run
+      load_initializer
+      Rails::Initializer.run(:set_load_path)
+    end
+  end
+
+  class VendorBoot < Boot
+    def load_initializer
+      require "#{RAILS_FRAMEWORK_ROOT}/railties/lib/initializer"
+      Rails::Initializer.run(:install_gem_spec_stubs)
+    end
+  end
+
+  class GemBoot < Boot
+    def load_initializer
+      self.class.load_rubygems
+      load_rails_gem
+      require 'initializer'
+    end
+
+    def load_rails_gem
+      if version = self.class.gem_version
+        gem 'rails', version
+      else
+        gem 'rails'
+      end
+    rescue Gem::LoadError => load_error
+      $stderr.puts %(Missing the Rails #{version} gem. Please `gem install -v=#{version} rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed.)
+      exit 1
+    end
+
+    class << self
+      def rubygems_version
+        Gem::RubyGemsVersion rescue nil
+      end
+
+      def gem_version
+        if defined? RAILS_GEM_VERSION
+          RAILS_GEM_VERSION
+        elsif ENV.include?('RAILS_GEM_VERSION')
+          ENV['RAILS_GEM_VERSION']
+        else
+          parse_gem_version(read_environment_rb)
+        end
+      end
+
+      def load_rubygems
+        require 'rubygems'
+        min_version = '1.1.1'
+        unless rubygems_version >= min_version
+          $stderr.puts %Q(Rails requires RubyGems >= #{min_version} (you have #{rubygems_version}). Please `gem update --system` and try again.)
+          exit 1
+        end
+ 
+      rescue LoadError
+        $stderr.puts %Q(Rails requires RubyGems >= #{min_version}. Please install RubyGems and try again: http://rubygems.rubyforge.org)
+        exit 1
+      end
+
+      def parse_gem_version(text)
+        $1 if text =~ /^[^#]*RAILS_GEM_VERSION\s*=\s*["']([!~<>=]*\s*[\d.]+)["']/
+      end
+
+      private
+        def read_environment_rb
+          environment_rb = "#{RAILS_ROOT}/config/environment.rb"
+          environment_rb = "#{HELPER_RAILS_ROOT}/config/environment.rb" unless File.exists?(environment_rb)
+          File.read(environment_rb)
+        end
+    end
+  end
+end
+
+
+class Rails::Boot
+  def run
+    load_initializer
+
+    Rails::Initializer.class_eval do
+      def load_gems
+        @bundler_loaded ||= Bundler.require :default, Rails.env
+      end
+    end
+
+    Rails::Initializer.run(:set_load_path)
+  end
+end
+
+# All that for this:
+Rails.boot!

data/spec/rails-2.3/app_root/config/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"
+  verbosity: quiet

data/spec/rails-2.3/app_root/config/environment.rb

@@ -0,0 +1,14 @@
+require File.join(File.dirname(__FILE__), 'boot')
+
+Rails::Initializer.run do |config|
+  config.cache_classes = false
+  config.whiny_nils = true
+  config.action_controller.session = { :key => "_myapp_session", :secret => "gwirofjweroijger8924rt2zfwehfuiwehb1378rifowenfoqwphf23" }
+  #config.plugin_locators.unshift(
+  #  Class.new(Rails::Plugin::Locator) do
+  #    def plugins
+  #      [Rails::Plugin.new(File.expand_path('.'))]
+  #    end
+  #  end
+  #) unless defined?(PluginTestHelper::PluginLocator)
+end

data/spec/rails-2.3/app_root/config/environments/test.rb

@@ -0,0 +1,28 @@
+# Settings specified here will take precedence over those in config/environment.rb
+
+# The test environment is used exclusively to run your application's
+# test suite.  You never need to work with it otherwise.  Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs.  Don't rely on the data there!
+config.cache_classes = true
+
+# Log error messages when you accidentally call methods on nil.
+config.whiny_nils = true
+
+# Show full error reports and disable caching
+config.action_controller.consider_all_requests_local = true
+config.action_controller.perform_caching             = false
+config.action_view.cache_template_loading            = true
+
+# Disable request forgery protection in test environment
+config.action_controller.allow_forgery_protection    = false
+
+# Tell Action Mailer not to deliver emails to the real world.
+# The :test delivery method accumulates sent emails in the
+# ActionMailer::Base.deliveries array.
+config.action_mailer.delivery_method = :test
+
+# Use SQL instead of Active Record's schema dumper when creating the test database.
+# This is necessary if your schema can't be completely dumped by the schema dumper,
+# like if you have constraints or database-specific column types
+# config.active_record.schema_format = :sql

data/spec/rails-2.3/app_root/config/preinitializer.rb

@@ -0,0 +1,20 @@
+begin
+  require "rubygems"
+  require "bundler"
+rescue LoadError
+  raise "Could not load the bundler gem. Install it with `gem install bundler`."
+end
+
+if Gem::Version.new(Bundler::VERSION) <= Gem::Version.new("0.9.24")
+  raise RuntimeError, "Your bundler version is too old for Rails 2.3." +
+   "Run `gem install bundler` to upgrade."
+end
+
+begin
+  # Set up load paths for all bundled gems
+  ENV["BUNDLE_GEMFILE"] = File.expand_path("../../Gemfile", __FILE__)
+  Bundler.setup
+rescue Bundler::GemNotFound
+  raise RuntimeError, "Bundler couldn't find some gems." +
+    "Did you run `bundle install`?"
+end

data/spec/rails-2.3/app_root/config/routes.rb

@@ -0,0 +1,4 @@
+ActionController::Routing::Routes.draw do |map|
+  map.connect ':controller/:action/:id'
+  map.connect ':controller/:action/:id.:format'
+end

data/spec/rails-2.3/app_root/lib/console_with_fixtures.rb

@@ -0,0 +1,4 @@
+# Loads fixtures into the database when running the test app via the console
+(ENV['FIXTURES'] ? ENV['FIXTURES'].split(/,/) : Dir.glob(File.join(Rails.root, '../fixtures/*.{yml,csv}'))).each do |fixture_file|
+  Fixtures.create_fixtures(File.join(Rails.root, '../fixtures'), File.basename(fixture_file, '.*'))
+end

data/spec/rails-2.3/app_root/log/.gitignore

@@ -0,0 +1 @@
+*.log

data/spec/rails-2.3/app_root/script/console

@@ -0,0 +1,7 @@
+irb = RUBY_PLATFORM =~ /(:?mswin|mingw)/ ? 'irb.bat' : 'irb'
+libs =  " -r irb/completion"
+libs << " -r test/test_helper"
+libs << " -r console_app"
+libs << " -r console_with_helpers"
+libs << " -r console_with_fixtures"
+exec "#{irb} #{libs} --simple-prompt"

data/spec/rails-2.3/rcov.opts

@@ -0,0 +1,2 @@
+--exclude "spec/*,gems/*"
+--rails

data/spec/rails-2.3/spec.opts

@@ -0,0 +1,4 @@
+--colour
+--format progress
+--loadby mtime
+--reverse

data/spec/rails-2.3/spec/spec_helper.rb

@@ -0,0 +1,20 @@
+$: << File.join(File.dirname(__FILE__), "/../../lib" )
+
+ENV['RAILS_ENV'] = 'test'
+ENV['RAILS_ROOT'] = 'app_root'
+
+# Load the Rails environment and testing framework
+require "#{File.dirname(__FILE__)}/../app_root/config/environment"
+require 'spec/rails'
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+require 'rspec_candy/all'
+
+# Run the migrations
+print "\033[30m" # dark gray text
+ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate")
+print "\033[0m"
+
+Spec::Runner.configure do |config|
+  config.use_transactional_fixtures = true
+  config.use_instantiated_fixtures  = false
+end

data/spec/rails-3.2/.rspec

@@ -0,0 +1,2 @@
+--colour
+--format progress

data/spec/rails-3.2/Gemfile

@@ -0,0 +1,9 @@
+source 'http://rubygems.org'
+
+gem 'sqlite3'
+gem 'rails', '~>3.2'
+gem 'rspec'
+gem 'rspec-rails'
+gem 'rspec_candy'
+gem 'haml-rails', '=0.4'
+gem 'angular_xss', :path => '../..'

data/spec/rails-3.2/Gemfile.lock

@@ -0,0 +1,128 @@
+PATH
+  remote: ../..
+  specs:
+    angular_xss (0.1.0)
+      activesupport
+      haml
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.2.16)
+      actionpack (= 3.2.16)
+      mail (~> 2.5.4)
+    actionpack (3.2.16)
+      activemodel (= 3.2.16)
+      activesupport (= 3.2.16)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      journey (~> 1.0.4)
+      rack (~> 1.4.5)
+      rack-cache (~> 1.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.2.1)
+    activemodel (3.2.16)
+      activesupport (= 3.2.16)
+      builder (~> 3.0.0)
+    activerecord (3.2.16)
+      activemodel (= 3.2.16)
+      activesupport (= 3.2.16)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activeresource (3.2.16)
+      activemodel (= 3.2.16)
+      activesupport (= 3.2.16)
+    activesupport (3.2.16)
+      i18n (~> 0.6, >= 0.6.4)
+      multi_json (~> 1.0)
+    arel (3.0.3)
+    builder (3.0.4)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
+    haml (4.0.4)
+      tilt
+    haml-rails (0.4)
+      actionpack (>= 3.1, < 4.1)
+      activesupport (>= 3.1, < 4.1)
+      haml (>= 3.1, < 4.1)
+      railties (>= 3.1, < 4.1)
+    hike (1.2.3)
+    i18n (0.6.9)
+    journey (1.0.4)
+    json (1.8.1)
+    mail (2.5.4)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.25.1)
+    multi_json (1.8.2)
+    polyglot (0.3.3)
+    rack (1.4.5)
+    rack-cache (1.2)
+      rack (>= 0.4)
+    rack-ssl (1.3.3)
+      rack
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rails (3.2.16)
+      actionmailer (= 3.2.16)
+      actionpack (= 3.2.16)
+      activerecord (= 3.2.16)
+      activeresource (= 3.2.16)
+      activesupport (= 3.2.16)
+      bundler (~> 1.0)
+      railties (= 3.2.16)
+    railties (3.2.16)
+      actionpack (= 3.2.16)
+      activesupport (= 3.2.16)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (>= 0.14.6, < 2.0)
+    rake (10.1.1)
+    rdoc (3.12.2)
+      json (~> 1.4)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.7)
+    rspec-expectations (2.14.4)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.4)
+    rspec-rails (2.14.1)
+      actionpack (>= 3.0)
+      activemodel (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec_candy (0.3.1)
+      rspec
+      sneaky-save
+    sneaky-save (0.0.4)
+      activerecord (>= 3.2.0)
+    sprockets (2.2.2)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sqlite3 (1.3.8)
+    thor (0.18.1)
+    tilt (1.4.1)
+    treetop (1.4.15)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.38)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  angular_xss!
+  haml-rails (= 0.4)
+  rails (~> 3.2)
+  rspec
+  rspec-rails
+  rspec_candy
+  sqlite3

data/spec/rails-3.2/Rakefile

@@ -0,0 +1,10 @@
+require 'rake'
+require 'rspec/core/rake_task'
+
+desc 'Default: Run all specs for a specific rails version.'
+task :default => :spec
+
+desc "Run all specs for a specific rails version"
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.pattern = defined?(SPEC) ? SPEC : ['**/*_spec.rb', '../shared/**/*_spec.rb']
+end

data/spec/rails-3.2/app_root/.gitignore

@@ -0,0 +1,4 @@
+.bundle
+db/*.sqlite3
+log/*.log
+tmp/**/*

data/spec/rails-3.2/app_root/config/application.rb

@@ -0,0 +1,32 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'rails/all'
+
+# If you have a Gemfile, require the gems listed there, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(:default, Rails.env) if defined?(Bundler)
+
+
+module SpecApp
+  class Application < Rails::Application
+    config.encoding = "utf-8"
+
+    config.cache_classes = true
+    config.whiny_nils = true
+
+    config.consider_all_requests_local       = true
+    config.action_controller.perform_caching = false
+
+    config.action_dispatch.show_exceptions = false
+
+    config.action_controller.allow_forgery_protection    = false
+
+    config.action_mailer.delivery_method = :test
+
+    config.active_support.deprecation = :stderr
+
+    config.root = File.expand_path('../..', __FILE__)
+
+    # railties.plugins << Rails::Plugin.new(File.expand_path('../../../../..', __FILE__))
+  end
+end

data/spec/rails-3.2/app_root/config/boot.rb

@@ -0,0 +1,13 @@
+require 'rubygems'
+
+# Set up gems listed in the Gemfile.
+gemfile = File.expand_path('../../Gemfile', __FILE__)
+begin
+  ENV['BUNDLE_GEMFILE'] = gemfile
+  require 'bundler'
+  Bundler.setup
+rescue Bundler::GemNotFound => e
+  STDERR.puts e.message
+  STDERR.puts "Try running `bundle install`."
+  exit!
+end if File.exist?(gemfile)

data/spec/rails-3.2/app_root/config/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"
+  verbosity: quiet

data/spec/rails-3.2/app_root/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+SpecApp::Application.initialize!

data/spec/rails-3.2/app_root/config/environments/test.rb

@@ -0,0 +1,35 @@
+SpecApp::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # The test environment is used exclusively to run your application's
+  # test suite.  You never need to work with it otherwise.  Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs.  Don't rely on the data there!
+  config.cache_classes = true
+
+  # Log error messages when you accidentally call methods on nil.
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment
+  config.action_controller.allow_forgery_protection    = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Use SQL instead of Active Record's schema dumper when creating the test database.
+  # This is necessary if your schema can't be completely dumped by the schema dumper,
+  # like if you have constraints or database-specific column types
+  # config.active_record.schema_format = :sql
+
+  # Print deprecation notices to the stderr
+  config.active_support.deprecation = :stderr
+end

data/spec/rails-3.2/app_root/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/spec/rails-3.2/app_root/config/initializers/inflections.rb

@@ -0,0 +1,10 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format
+# (all these examples are active by default):
+# ActiveSupport::Inflector.inflections do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end

data/spec/rails-3.2/app_root/config/initializers/mime_types.rb

@@ -0,0 +1,5 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf
+# Mime::Type.register_alias "text/html", :iphone

data/spec/rails-3.2/app_root/config/initializers/secret_token.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+SpecApp::Application.config.secret_token = 'cb014a08a45243e7143f31e04774c342c1fba329fd594ae1a480d8283b1a851f425dc08044311fb4be6d000b6e6681de7c76d19148419a5ffa0a9f84556d3b33'

data/spec/rails-3.2/app_root/config/initializers/session_store.rb

@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+SpecApp::Application.config.session_store :cookie_store, :key => '_app_root_session'
+
+# Use the database for sessions instead of the cookie-based default,
+# which shouldn't be used to store highly confidential information
+# (create the session table with "rails generate session_migration")
+# SpecApp::Application.config.session_store :active_record_store

data/spec/rails-3.2/app_root/config/routes.rb

@@ -0,0 +1,58 @@
+SpecApp::Application.routes.draw do
+  # The priority is based upon order of creation:
+  # first created -> highest priority.
+
+  # Sample of regular route:
+  #   match 'products/:id' => 'catalog#view'
+  # Keep in mind you can assign values other than :controller and :action
+
+  # Sample of named route:
+  #   match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
+  # This route can be invoked with purchase_url(:id => product.id)
+
+  # Sample resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Sample resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Sample resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Sample resource route with more complex sub-resources
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', :on => :collection
+  #     end
+  #   end
+
+  # Sample resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+
+  # You can have the root of your site routed with "root"
+  # just remember to delete public/index.html.
+  # root :to => "welcome#index"
+
+  # See how all your routes lay out with "rake routes"
+
+  # This is a legacy wild controller route that's not recommended for RESTful applications.
+  # Note: This route will make all actions in every controller accessible via GET requests.
+  match ':controller(/:action(/:id(.:format)))'
+end

data/spec/rails-3.2/app_root/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby1.8
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/spec/rails-3.2/rcov.opts

@@ -0,0 +1,2 @@
+--exclude "spec/*,gems/*"
+--rails

data/spec/rails-3.2/spec/spec_helper.rb

@@ -0,0 +1,20 @@
+$: << File.join(File.dirname(__FILE__), "/../../lib" )
+
+ENV['RAILS_ENV'] = 'test'
+ENV['RAILS_ROOT'] = 'app_root'
+
+# Load the Rails environment and testing framework
+require "#{File.dirname(__FILE__)}/../app_root/config/environment"
+require 'rspec/rails'
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+require 'rspec_candy/all'
+
+# Run the migrations
+print "\033[30m" # dark gray text
+ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate")
+print "\033[0m"
+
+RSpec.configure do |config|
+  config.use_transactional_fixtures = true
+  config.use_instantiated_fixtures  = false
+end

data/spec/shared/app_root/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/spec/shared/app_root/app/helpers/application_helper.rb

@@ -0,0 +1,3 @@
+module ApplicationHelper
+
+end

data/spec/shared/app_root/app/views/test/_test_erb.erb

@@ -0,0 +1,2 @@
+<%= "{{unsafe}}" %>
+<%= "{{safe}}".html_safe %>

data/spec/shared/app_root/app/views/test/_test_haml.haml

@@ -0,0 +1,3 @@
+= "{{unsafe}}"
+#{'{{unsafe}}'}
+= "{{safe}}".html_safe

data/spec/shared/app_root/config/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"
+  verbosity: quiet

data/spec/shared/support/engine_preventing_angular_xss.rb

@@ -0,0 +1,12 @@
+shared_examples_for 'engine preventing Angular XSS' do
+
+  it 'escapes Angular interpolation marks iff a string is unsafe' do
+    engine = respond_to?(:view) ? view : template
+    html = engine.render(partial)
+    html.should include(" { { unsafe}}")
+    html.should_not include("{{unsafe}}")
+    html.should include("{{safe}}")
+    html.should_not include(" { { safe}}")
+  end
+
+end

data/spec/shared/tests/erb_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe 'Angular XSS prevention in ERB', :type => :view do
+
+  it_should_act_like 'engine preventing Angular XSS', :partial => 'test/test_erb'
+
+end

data/spec/shared/tests/haml_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe 'Angular XSS prevention in Haml', :type => :view do
+
+  it_should_act_like 'engine preventing Angular XSS', :partial => 'test/test_haml'
+
+end

metadata

@@ -0,0 +1,194 @@
+--- !ruby/object:Gem::Specification 
+name: angular_xss
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: 
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Henning Koch
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2014-01-03 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: haml
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+description: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.
+email: henning.koch@makandra.de
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- LICENSE
+- README.md
+- Rakefile
+- assignable_values.gemspec
+- lib/angular_xss.rb
+- lib/angular_xss/erb.rb
+- lib/angular_xss/escaper.rb
+- lib/angular_xss/haml.rb
+- lib/angular_xss/version.rb
+- spec/rails-2.3/Gemfile
+- spec/rails-2.3/Gemfile.lock
+- spec/rails-2.3/Rakefile
+- spec/rails-2.3/app_root/config/boot.rb
+- spec/rails-2.3/app_root/config/database.yml
+- spec/rails-2.3/app_root/config/environment.rb
+- spec/rails-2.3/app_root/config/environments/test.rb
+- spec/rails-2.3/app_root/config/preinitializer.rb
+- spec/rails-2.3/app_root/config/routes.rb
+- spec/rails-2.3/app_root/lib/console_with_fixtures.rb
+- spec/rails-2.3/app_root/log/.gitignore
+- spec/rails-2.3/app_root/script/console
+- spec/rails-2.3/rcov.opts
+- spec/rails-2.3/spec.opts
+- spec/rails-2.3/spec/spec_helper.rb
+- spec/rails-3.2/.rspec
+- spec/rails-3.2/Gemfile
+- spec/rails-3.2/Gemfile.lock
+- spec/rails-3.2/Rakefile
+- spec/rails-3.2/app_root/.gitignore
+- spec/rails-3.2/app_root/config/application.rb
+- spec/rails-3.2/app_root/config/boot.rb
+- spec/rails-3.2/app_root/config/database.yml
+- spec/rails-3.2/app_root/config/environment.rb
+- spec/rails-3.2/app_root/config/environments/test.rb
+- spec/rails-3.2/app_root/config/initializers/backtrace_silencers.rb
+- spec/rails-3.2/app_root/config/initializers/inflections.rb
+- spec/rails-3.2/app_root/config/initializers/mime_types.rb
+- spec/rails-3.2/app_root/config/initializers/secret_token.rb
+- spec/rails-3.2/app_root/config/initializers/session_store.rb
+- spec/rails-3.2/app_root/config/routes.rb
+- spec/rails-3.2/app_root/lib/tasks/.gitkeep
+- spec/rails-3.2/app_root/log/.gitkeep
+- spec/rails-3.2/app_root/script/rails
+- spec/rails-3.2/rcov.opts
+- spec/rails-3.2/spec/spec_helper.rb
+- spec/shared/app_root/app/controllers/application_controller.rb
+- spec/shared/app_root/app/helpers/application_helper.rb
+- spec/shared/app_root/app/models/.gitkeep
+- spec/shared/app_root/app/views/test/_test_erb.erb
+- spec/shared/app_root/app/views/test/_test_haml.haml
+- spec/shared/app_root/config/database.yml
+- spec/shared/app_root/db/migrate/.gitkeep
+- spec/shared/support/engine_preventing_angular_xss.rb
+- spec/shared/tests/erb_spec.rb
+- spec/shared/tests/haml_spec.rb
+has_rdoc: true
+homepage: https://github.com/makandra/angular_xss
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.9.5
+signing_key: 
+specification_version: 3
+summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.
+test_files: 
+- spec/rails-2.3/Gemfile
+- spec/rails-2.3/Gemfile.lock
+- spec/rails-2.3/Rakefile
+- spec/rails-2.3/app_root/config/boot.rb
+- spec/rails-2.3/app_root/config/database.yml
+- spec/rails-2.3/app_root/config/environment.rb
+- spec/rails-2.3/app_root/config/environments/test.rb
+- spec/rails-2.3/app_root/config/preinitializer.rb
+- spec/rails-2.3/app_root/config/routes.rb
+- spec/rails-2.3/app_root/lib/console_with_fixtures.rb
+- spec/rails-2.3/app_root/log/.gitignore
+- spec/rails-2.3/app_root/script/console
+- spec/rails-2.3/rcov.opts
+- spec/rails-2.3/spec.opts
+- spec/rails-2.3/spec/spec_helper.rb
+- spec/rails-3.2/.rspec
+- spec/rails-3.2/Gemfile
+- spec/rails-3.2/Gemfile.lock
+- spec/rails-3.2/Rakefile
+- spec/rails-3.2/app_root/.gitignore
+- spec/rails-3.2/app_root/config/application.rb
+- spec/rails-3.2/app_root/config/boot.rb
+- spec/rails-3.2/app_root/config/database.yml
+- spec/rails-3.2/app_root/config/environment.rb
+- spec/rails-3.2/app_root/config/environments/test.rb
+- spec/rails-3.2/app_root/config/initializers/backtrace_silencers.rb
+- spec/rails-3.2/app_root/config/initializers/inflections.rb
+- spec/rails-3.2/app_root/config/initializers/mime_types.rb
+- spec/rails-3.2/app_root/config/initializers/secret_token.rb
+- spec/rails-3.2/app_root/config/initializers/session_store.rb
+- spec/rails-3.2/app_root/config/routes.rb
+- spec/rails-3.2/app_root/lib/tasks/.gitkeep
+- spec/rails-3.2/app_root/log/.gitkeep
+- spec/rails-3.2/app_root/script/rails
+- spec/rails-3.2/rcov.opts
+- spec/rails-3.2/spec/spec_helper.rb
+- spec/shared/app_root/app/controllers/application_controller.rb
+- spec/shared/app_root/app/helpers/application_helper.rb
+- spec/shared/app_root/app/models/.gitkeep
+- spec/shared/app_root/app/views/test/_test_erb.erb
+- spec/shared/app_root/app/views/test/_test_haml.haml
+- spec/shared/app_root/config/database.yml
+- spec/shared/app_root/db/migrate/.gitkeep
+- spec/shared/support/engine_preventing_angular_xss.rb
+- spec/shared/tests/erb_spec.rb
+- spec/shared/tests/haml_spec.rb