angular_xss 0.4.0 → 1.0.0

data/Gemfile.rails-7.1.haml-6.lock

@@ -0,0 +1,122 @@
+PATH
+  remote: .
+  specs:
+    angular_xss (1.0.0)
+      activesupport
+      haml (>= 3.1.5)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionpack (7.1.3.4)
+      actionview (= 7.1.3.4)
+      activesupport (= 7.1.3.4)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.3.4)
+      activesupport (= 7.1.3.4)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activesupport (7.1.3.4)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      mutex_m
+      tzinfo (~> 2.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    builder (3.3.0)
+    byebug (11.1.3)
+    concurrent-ruby (1.3.3)
+    connection_pool (2.4.1)
+    crass (1.0.6)
+    diff-lcs (1.5.1)
+    drb (2.2.1)
+    erubi (1.13.0)
+    gemika (0.8.3)
+    haml (6.3.0)
+      temple (>= 0.8.2)
+      thor
+      tilt
+    i18n (1.14.5)
+      concurrent-ruby (~> 1.0)
+    loofah (2.22.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
+    minitest (5.24.0)
+    mutex_m (0.2.0)
+    nokogiri (1.16.6-aarch64-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-arm-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.8.0)
+    rack (3.1.3)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    rake (13.2.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    temple (0.10.3)
+    thor (1.3.1)
+    tilt (2.3.0)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+
+PLATFORMS
+  aarch64-linux
+  arm-linux
+  arm64-darwin
+  x86-linux
+  x86_64-darwin
+  x86_64-linux
+
+DEPENDENCIES
+  actionpack (~> 7.1)
+  angular_xss!
+  byebug
+  gemika (>= 0.8.3)
+  haml (~> 6)
+  rake
+  rspec
+
+BUNDLED WITH
+   2.5.13

data/README.md

@@ -7,6 +7,12 @@ This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are aut
 
 **This is an unsatisfactory hack.** A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
 
+🚧 Notice: unmaintained gem
+------------------
+
+We are no longer actively maintaining this gem.
+
+The `1.0` release added support for HAML 6 and Rails 7.1, so the gem will at least support Rails 3.2 - 7.1 and HAML 4 - 6. `angular_xss` might still work for future versions HAML and Rails, but we won't actively ensure it does.
 
 Disable escaping locally
 ------------------------
@@ -56,10 +62,13 @@ Development
 -----------
 
 - Fork the repository.
-- Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
+- Prepare your changes, and ensure existing and new test are green:
+  - `bundle exec rake matrix:install` installs all dependencies for all Gemfiles
+  - `bundle exec rake matrix:spec` runs all specs in all configurations
+  - You may run single tests with a specified Rails version via `BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss`
+- Push your changes with specs. There is a test application in `spec/app_root` if you need to test integration with a live Rails app.
 - Send a pull request.
 
-
 Credits
 -------
 

data/angular_xss.gemspec

@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
   s.summary = 'Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.'
   s.description = s.summary
   s.license = 'MIT'
+  s.metadata = { 'rubygems_mfa_required' => 'true' }
 
   s.files         = `git ls-files`.split($\)
   s.test_files    = s.files.grep(%r{^spec/})

data/lib/angular_xss/erb.rb

@@ -1,33 +1,25 @@
-# Use module_eval so we crash when ERB::Util has not yet been loaded.
-ERB::Util.module_eval do
-
-  if private_method_defined? :unwrapped_html_escape # Rails 4.2+
-
-    def unwrapped_html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        unwrapped_html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+if ERB::Util.private_method_defined? :unwrapped_html_escape
+  # Rails 4.2+
+  # https://github.com/rails/rails/blob/main/activesupport/lib/active_support/core_ext/erb/util.rb
+  module ERBUtilExt
+    def html_escape_once(s)
+      super(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
-    alias_method :unwrapped_html_escape_without_escaping_angular_expressions, :unwrapped_html_escape
-    alias_method :unwrapped_html_escape, :unwrapped_html_escape_with_escaping_angular_expressions
-
-    singleton_class.send(:remove_method, :unwrapped_html_escape)
-    module_function :unwrapped_html_escape
-    module_function :unwrapped_html_escape_without_escaping_angular_expressions
+    def unwrapped_html_escape(s)
+      super(AngularXss::Escaper.escape_if_unsafe(s))
+    end
+    # Note that html_escape() and h() are passively fixed as they are calling the two methods above
+  end
+  ERB::Util.prepend ERBUtilExt
+  ERB::Util.singleton_class.prepend ERBUtilExt
 
-  else # Rails < 4.2
+else
+  ERB::Util.module_eval do
+    # Rails < 4.2
 
     def html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
     alias_method_chain :html_escape, :escaping_angular_expressions
@@ -41,7 +33,5 @@ ERB::Util.module_eval do
     singleton_class.send(:remove_method, :html_escape)
     module_function :html_escape
     module_function :html_escape_without_escaping_angular_expressions
-
   end
-
 end

data/lib/angular_xss/escaper.rb

@@ -27,6 +27,14 @@ module AngularXss
       end
     end
 
+    def self.escape_if_unsafe(string)
+      if string.nil? || string.to_s.html_safe?
+        string
+      else
+        escape(string.to_s)
+      end
+    end
+
     def self.disabled?
       !!Thread.current[XSS_DISABLED_KEY]
     end

data/lib/angular_xss/haml.rb

@@ -1,32 +1,38 @@
-# Haml 5.0 and 5.1 fall back to erb
-if Haml::VERSION < '5'
+haml_version = Gem::Version.new(Haml::VERSION)
+
+if haml_version < Gem::Version.new(5)
   # Use module_eval so we crash when Haml::Helpers has not yet been loaded.
   Haml::Helpers.module_eval do
-
     def html_escape_with_escaping_angular_expressions(s)
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
-      end
+      html_escape_without_escaping_angular_expressions(AngularXss::Escaper.escape_if_unsafe(s))
     end
 
     alias_method :html_escape_without_escaping_angular_expressions, :html_escape
     alias_method :html_escape, :html_escape_with_escaping_angular_expressions
   end
+elsif haml_version < Gem::Version.new('5.2')
+  # Haml 5.0 and 5.1 fall back to erb
+elsif haml_version < Gem::Version.new(6)
+  # HAML 5.2+
+  module HTMLEscapeWithoutHAMLWithAngularXSS
+    def html_escape_without_haml_xss(html)
+      super(AngularXss::Escaper.escape_if_unsafe(html))
+    end
+  end
 
-elsif Haml::VERSION >= '5.2' 
-  Haml::Helpers.module_eval do
-
-    def html_escape_without_haml_xss_with_escaping_angular_expressions(s)
-      s = s.to_s
-      return s if s.html_safe?
+  Haml::Helpers.singleton_class.prepend HTMLEscapeWithoutHAMLWithAngularXSS
+else
+  # Haml 6+
+  # It ditched most of is own helpers in favor of Haml::Util.escape_html
+  # https://github.com/haml/haml/blob/main/CHANGELOG.md#600
+  # https://github.com/haml/haml/compare/v5.2.2...v6.3.0
+  # https://github.com/haml/haml/blob/v6.3.0/lib/haml/util.rb
 
-      html_escape_without_haml_xss_without_escaping_angular_expressions(AngularXss::Escaper.escape(s))
+  module EscapeHTMLWithAngularXSS
+    def escape_html(html)
+      super(AngularXss::Escaper.escape_if_unsafe(html))
     end
-
-    alias_method :html_escape_without_haml_xss_without_escaping_angular_expressions, :html_escape_without_haml_xss
-    alias_method :html_escape_without_haml_xss, :html_escape_without_haml_xss_with_escaping_angular_expressions
   end
+
+  Haml::Util.singleton_class.prepend EscapeHTMLWithAngularXSS
 end

data/lib/angular_xss/output_buffer.rb

@@ -0,0 +1,25 @@
+##
+# Monkey patch ActionView::OutputBuffer to escape double braces from Angular
+#
+# Link to the original implementation without Angular XSS escaping:
+# https://github.com/rails/rails/blob/v7.1.3.4/actionview/lib/action_view/buffers.rb
+
+
+if defined?(ActionView::VERSION) && Gem::Version.new(ActionView::VERSION::STRING) >= Gem::Version.new('7.1')
+  # ActionView < 7.1 used our patched ERB::Util.h to escape, 7.1 switched to CGI.escapeHTML
+  module OutputBufferWithEscapedAngularXSS
+    def <<(value)
+      super(AngularXss::Escaper.escape_if_unsafe(value))
+    end
+
+    def concat(value)
+      super(AngularXss::Escaper.escape_if_unsafe(value))
+    end
+
+    def append=(value)
+      super(AngularXss::Escaper.escape_if_unsafe(value))
+    end
+  end
+
+  ActionView::OutputBuffer.prepend OutputBufferWithEscapedAngularXSS
+end

data/lib/angular_xss/safe_buffer.rb

@@ -1,20 +1,44 @@
+##
+# Monkey patch ActiveSupport::SafeBuffer to escape double braces from Angular
+#
+# Link to the original implementation without Angular XSS escaping:
+# https://github.com/rails/rails/blob/7-0-stable/activesupport/lib/active_support/core_ext/string/output_safety.rb#L295
+#
 ActiveSupport::SafeBuffer.class_eval do
 
-  if private_method_defined? :html_escape_interpolated_argument
+  html_escape = :html_escape_interpolated_argument
+
+  if private_method_defined?(html_escape) || # Rails < 6.1
+    private_method_defined?(:"explicit_#{html_escape}") # Rails >= 6.1
 
     private
 
-    def html_escape_interpolated_argument_with_angular_xss(arg)
-      if arg.html_safe?
+    def explicit_html_escape_interpolated_argument_with_angular_xss(arg)
+      if !html_safe? || arg.html_safe?
         arg
       else
-        html_escape_interpolated_argument_without_angular_xss(AngularXss::Escaper.escape(arg))
+        explicit_html_escape_interpolated_argument_without_angular_xss(AngularXss::Escaper.escape(arg))
       end
     end
 
-    alias_method :html_escape_interpolated_argument_without_angular_xss, :html_escape_interpolated_argument
-    alias_method :html_escape_interpolated_argument, :html_escape_interpolated_argument_with_angular_xss
+    if private_method_defined?(html_escape)
+      alias_method :"explicit_#{html_escape}_without_angular_xss", html_escape
+      alias_method html_escape, :"explicit_#{html_escape}_with_angular_xss"
+    elsif private_method_defined?(:"explicit_#{html_escape}")
+      alias_method :"explicit_#{html_escape}_without_angular_xss", :"explicit_#{html_escape}"
+      alias_method :"explicit_#{html_escape}", :"explicit_#{html_escape}_with_angular_xss"
+    end
 
+    if private_method_defined?(:"implicit_#{html_escape}")
+      def implicit_html_escape_interpolated_argument_with_angular_xss(arg)
+        if !html_safe? || arg.html_safe?
+          arg
+        else
+          implicit_html_escape_interpolated_argument_without_angular_xss(AngularXss::Escaper.escape(arg))
+        end
+      end
+      alias_method :"implicit_#{html_escape}_without_angular_xss", :"implicit_#{html_escape}"
+      alias_method :"implicit_#{html_escape}", :"implicit_#{html_escape}_with_angular_xss"
+    end
   end
-
 end

data/lib/angular_xss/version.rb

@@ -1,3 +1,3 @@
 module AngularXss
-  VERSION = '0.4.0'
+  VERSION = '1.0.0'
 end

data/lib/angular_xss.rb

@@ -1,6 +1,7 @@
 #"string".respond_to?(:html_safe?) or raise "No rails_xss implementation present"
 
 require 'angular_xss/escaper'
+require 'angular_xss/output_buffer'
 require 'angular_xss/safe_buffer'
 require 'angular_xss/erb'
 require 'angular_xss/haml'

data/spec/angular_xss/erb_spec.rb

@@ -1,7 +1,50 @@
-require 'spec_helper'
-
 describe 'Angular XSS prevention in ERB', :type => :view do
-
   it_should_behave_like 'engine preventing Angular XSS', :partial => 'test_erb'
+end
+
+describe ERB::Util do
+  describe '#html_escape' do
+    it 'escapes angular braces' do
+      expect(described_class.html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not modify already HTML safe strings' do
+      expect(described_class.html_escape("{{safe}}".html_safe)).to eq("{{safe}}")
+    end
+  end
+
+  describe '#h' do
+    it 'escapes angular braces' do
+      expect(described_class.h("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not modify already HTML safe strings' do
+      expect(described_class.h("{{safe}}".html_safe)).to eq("{{safe}}")
+    end
+  end
+
+  # Rails < 4 does not implement unwrapped_html_escape and html_escape_once
+  if described_class.method_defined? :unwrapped_html_escape
+    describe '#unwrapped_html_escape' do
+      it 'escapes angular braces' do
+        expect(described_class.unwrapped_html_escape("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+      end
+
+      it 'does not modify already HTML safe strings' do
+        expect(described_class.unwrapped_html_escape("{{safe}}".html_safe)).to eq("{{safe}}")
+      end
+    end
+  end
+
+  if described_class.method_defined? :html_escape_once
+    describe '#html_escape_once' do
+      it 'escapes angular braces' do
+        expect(described_class.html_escape_once("{{unsafe}}")).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+      end
 
+      it 'does not modify already HTML safe strings' do
+        expect(described_class.html_escape_once("{{safe}}".html_safe)).to eq("{{safe}}")
+      end
+    end
+  end
 end

data/spec/angular_xss/escaper_spec.rb

@@ -0,0 +1,21 @@
+describe AngularXss::Escaper do
+  describe '.escape' do
+    it 'replaces double braces with a closed variant' do
+      expect(described_class.escape('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
+    end
+
+    it 'does not handle HTML safe strings differently' do
+      expect(described_class.escape('{{'.html_safe)).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
+    end
+  end
+
+  describe '.escape_if_unsafe' do
+    it 'replaces double braces with a closed variant' do
+      expect(described_class.escape_if_unsafe('{{')).to eq('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}')
+    end
+
+    it 'does not modify HTML safe strings' do
+      expect(described_class.escape_if_unsafe('{{'.html_safe)).to eq('{{')
+    end
+  end
+end

data/spec/angular_xss/haml_spec.rb

@@ -1,5 +1,3 @@
-require 'spec_helper'
-
 describe 'Angular XSS prevention in Haml', :type => :view do
 
   it_should_behave_like 'engine preventing Angular XSS', :partial => 'test_haml'

data/spec/angular_xss/output_buffer_spec.rb

@@ -0,0 +1,45 @@
+describe ActionView::OutputBuffer do
+  describe '#<<' do
+    it 'escapes angular braces' do
+      expect((subject << "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not change behavior for already HTML safe strings' do
+      expect((subject << "{{safe}}".html_safe).to_s).to eq("{{safe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject << nil }.to_not raise_error
+    end
+  end
+
+  describe '#concat' do
+    it 'escapes angular braces' do
+      expect((subject.concat "{{unsafe}}").to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not change behavior for already HTML safe strings' do
+      expect((subject.concat "{{safe}}".html_safe).to_s).to eq("{{safe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject.concat nil }.to_not raise_error
+    end
+  end
+
+  describe '#append=' do
+    it 'escapes angular braces' do
+      subject.append = "{{unsafe}}"
+      expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'does not change behavior for already HTML safe strings' do
+      subject.append = "{{safe}}".html_safe
+      expect(subject.to_s).to eq("{{safe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject.append = nil }.to_not raise_error
+    end
+  end
+end

data/spec/angular_xss/safe_buffer_spec.rb

@@ -1,9 +1,21 @@
-require 'spec_helper'
-
 describe ActiveSupport::SafeBuffer do
 
-  it 'still allows concatting nil' do
-    expect { subject << nil }.to_not raise_error
+  describe '#<<' do
+    it 'escapes angular braces' do
+      subject << "{{unsafe}}"
+      expect(subject.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
+
+    it 'allows concatting nil' do
+      expect { subject << nil }.to_not raise_error
+    end
+  end
+
+  describe '#+' do
+    it 'escapes angular braces' do
+      combined_string = subject + "{{unsafe}}"
+      expect(combined_string.to_s).to eq("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    end
   end
 
 end

data/spec/spec_helper.rb

@@ -17,7 +17,11 @@ module Rails
 end
 
 require 'haml'
-require 'haml/template'
+if Gem::Version.new(Haml::VERSION) < Gem::Version.new(6)
+  require 'haml/template'
+else
+  require 'haml/rails_template'
+end
 
 require 'angular_xss'
 
@@ -25,13 +29,3 @@ require 'angular_xss'
 Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
 
 TEMPLATE_ROOT = Pathname.new(__dir__).join('templates')
-
-
-RSpec.configure do |config|
-  config.mock_with :rspec do |c|
-    c.syntax = [:should, :expect]
-  end
-  config.expect_with :rspec do |c|
-    c.syntax = [:should, :expect]
-  end
-end

data/spec/support/engine_preventing_angular_xss.rb

@@ -2,7 +2,7 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
 
   let(:path_set) { ActionView::LookupContext.new([TEMPLATE_ROOT]) }
 
-  if defined?(ActionView::VERSION) && ActionView::VERSION::MAJOR >= 6
+  if defined?(ActionView::VERSION) && Gem::Version.new(ActionView::VERSION::MAJOR) >= Gem::Version.new(6)
     let(:engine) { ActionView::Base.with_empty_template_cache.new(path_set, {}, nil) }
   else
     let(:engine) { ActionView::Base.new(path_set) }
@@ -11,14 +11,18 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
   let(:html) { engine.render(partial) }
 
   it 'escapes Angular interpolation marks in unsafe strings' do
-    html.should_not include('{{unsafe}}')
-    html.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(html).not_to include('{{unsafe}}')
+    expect(html).to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
   end
 
   it 'recognizes the many ways to express an opening curly brace in HTML' do
+    # Only unsafe strings are escaped
+    expect(html).to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    expect(html).not_to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
 
-    html.should include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
-    html.should_not include("{{unsafe}}")
+    # Only safe strings with braces are left untouched
+    expect(html).to include("{{safe}}")
+    expect(html).not_to include("{{unsafe}}")
 
     braces = [
      '{',
@@ -35,15 +39,15 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
 
     braces.each do |brace1|
       braces.each do |brace2|
-        html.should_not include("#{brace1}#{brace2}unsafe}}")
+        expect(html).not_to include("#{brace1}#{brace2}unsafe}}")
       end
     end
 
   end
 
   it 'does not escape Angular interpolation marks in safe strings' do
-    html.should include("{{safe}}")
-    html.should_not include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
+    expect(html).to include("{{safe}}")
+    expect(html).not_to include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
   end
 
   it 'does not escape Angular interpolation marks in a block where AngularXSS is disabled' do
@@ -52,8 +56,8 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
       result = html
     end
 
-    result.should include('{{unsafe}}')
-    result.should_not include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(result).to include('{{unsafe}}')
+    expect(result).not_to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
   end
 
   it 'does escape Angular interpolation marks after the block where AngularXSS is disabled' do
@@ -61,27 +65,27 @@ shared_examples_for 'engine preventing Angular XSS' do |partial:|
     end
     result = html
 
-    result.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
-    result.should_not include('{{unsafe}}')
+    expect(result).to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(result).not_to include('{{unsafe}}')
   end
 
   it 'is not confused by exceptions in disable blocks' do
     class SomeException < StandardError; end
 
-    proc {
+    expect do
       AngularXss.disable do
         raise SomeException
       end
-    }.should raise_error(SomeException)
+    end.to raise_error(SomeException)
 
-    html.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
-    html.should_not include('{{unsafe}}')
+    expect(html).to include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+    expect(html).not_to include('{{unsafe}}')
   end
 
   it 'does not escape twice' do
     escaped = AngularXss::Escaper.escape('{{')
     double_escaped = AngularXss::Escaper.escape(escaped)
-    html.should_not include(double_escaped)
+    expect(html).not_to include(double_escaped)
   end
 
 end