angular_xss 0.1.0 → 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: cca3cff1d32777a0e9ae8857bc136981cb61c359
+  data.tar.gz: 520d0d7d7122a4d630fca1d5a09d1f98f9ca1ef3
+SHA512:
+  metadata.gz: caf93d6ac6230f240914ba3bbed906c688435d7b4acd5ec925a55f5b13476c8b1fd4c1c9cf8b3641315ec8c3845cdff2b7c78c30f7ff7247d4f4b4f760b18601
+  data.tar.gz: 20b38f1cb2a45f52fb4083ada04e33c2c926ba62989e8f0651645e02ecd0da1df7d484e0eaaedc111ae18f866b1c179e43e9f2b9f5642181461b32ce89319268

data/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+rvm:
+  - "1.8.7"
+  - "1.9.3"
+  - ree
+services:
+  - mysql
+script: rake travis:run
+notifications:
+  email:
+    - fail@makandra.de
+branches:
+  only:
+    - master
+

data/README.md

@@ -1,11 +1,24 @@
-angular_xss
+angular_xss [![Build Status](https://travis-ci.org/makandra/angular_xss.png?branch=master)](https://travis-ci.org/makandra/angular_xss)
 ===========
 
 When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`).
 
-This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with ` { { `.
+This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with ` { { `. To leave AngularJS interpolation marks unescaped, mark the string as `html_safe`.
 
-**This is an unsatisfactory hack.** A better solution is very much desired, but might not be possible without significant refactoring of AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
+**This is an unsatisfactory hack.** A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
+
+
+Disable escaping locally
+------------------------
+
+If you want to disable angular_xss in some part of your app, you can use
+
+```
+AngularXss.disable do
+  # no escaping here
+end
+# escaped again
+```
 
 
 Installation
@@ -15,7 +28,7 @@ Installation
 
 1. Put this into your Gemfile **after other templating engines** like Haml or Erubis:
 
-    gem 'angular_xss' # put me after Haml, Erubis and other templating engines
+        gem 'angular_xss' # put me after Haml, Erubis and other templating engines
 
 2. Run `bundle install`.
 
@@ -24,9 +37,11 @@ Installation
 4. Mark any string that is allowed to contain Angular expressions as `#html_safe`.
 
 
-Known issues
-------------
-- Requires Haml. Could be refactored to only patch ERB/rails_xss.
+Known limitations
+-----------------
+- Requires Haml. It could be refactored to only patch ERB/rails_xss.
+- When using Haml with angular_xss, you can no longer use interpolation symbols in `class` or `id` attributes,
+  even if the value is marked as `html_safe`. This is a limitation of Haml. Try using `ng-class` instead.
 
 
 Development

data/{assignable_values.gemspec → angular_xss.gemspec}

@@ -16,5 +16,5 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
 
   s.add_dependency('activesupport')
-  s.add_dependency('haml')
+  s.add_dependency('haml', '>=3.1.5') # Haml below 3.1.5 does not escape HTML attributes by default. Do not use it!
 end

data/lib/angular_xss/escaper.rb

@@ -1,8 +1,41 @@
 module AngularXss
+
+  def self.disable(&block)
+    Escaper.disable(&block)
+  end
+
+
   class Escaper
 
+    XSS_DISABLED_KEY = :_angular_xss_disabled
+
+    #BRACE = [
+    #  '\\{',
+    #  '{',
+    #  '{',
+    #  '&#x0*7b;',
+    #  '&#0*123;',
+    #]
+    #DOUBLE_BRACE_REGEXP = Regexp.new("(#{BRACE.join('|')})(#{BRACE.join('|')})", Regexp::IGNORECASE)
+
     def self.escape(string)
-      string.gsub('{{', ' { { ')
+      if disabled?
+        string
+      else
+        string.gsub('{{', ' { { ')
+      end
+    end
+
+    def self.disabled?
+      !!Thread.current[XSS_DISABLED_KEY]
+    end
+
+    def self.disable
+      old_disabled = Thread.current[XSS_DISABLED_KEY]
+      Thread.current[XSS_DISABLED_KEY] = true
+      yield
+    ensure
+      Thread.current[XSS_DISABLED_KEY] = old_disabled
     end
 
   end

data/lib/angular_xss/version.rb

@@ -1,3 +1,3 @@
 module AngularXss
-  VERSION = '0.1.0'
+  VERSION = '0.2.0'
 end

data/spec/rails-2.3/Gemfile

@@ -1,10 +1,12 @@
 source 'http://rubygems.org'
 
 gem 'sqlite3'
+gem 'test-unit', '=1.2.3', :platforms => :ruby_19 # satisfy Travis CI
+gem 'hoe', '=2.8.0', :platforms => :ruby_19 # satisfy Travis CI
 gem 'rails', '~>2.3.10'
 gem 'rspec', '<2'
 gem 'rspec-rails', '<2'
 gem 'rspec_candy'
-gem 'haml', '=3.0.25'
+gem 'haml', '=3.1.5'
 gem 'rails_xss'
 gem 'angular_xss', :path => '../..'

data/spec/rails-2.3/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: ../..
   specs:
-    angular_xss (0.1.0)
+    angular_xss (0.2.0)
       activesupport
-      haml
+      haml (>= 3.1.5)
 
 GEM
   remote: http://rubygems.org/
@@ -19,7 +19,9 @@ GEM
       activesupport (= 2.3.18)
     activesupport (2.3.18)
     erubis (2.7.0)
-    haml (3.0.25)
+    haml (3.1.5)
+    hoe (2.8.0)
+      rake (>= 0.8.7)
     rack (1.1.6)
     rails (2.3.18)
       actionmailer (= 2.3.18)
@@ -41,16 +43,20 @@ GEM
     sneaky-save (0.0.2)
       activerecord (>= 2.3.2)
     sqlite3 (1.3.8)
+    test-unit (1.2.3)
+      hoe (>= 1.5.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   angular_xss!
-  haml (= 3.0.25)
+  haml (= 3.1.5)
+  hoe (= 2.8.0)
   rails (~> 2.3.10)
   rails_xss
   rspec (< 2)
   rspec-rails (< 2)
   rspec_candy
   sqlite3
+  test-unit (= 1.2.3)

data/spec/rails-3.2/Gemfile

@@ -5,5 +5,6 @@ gem 'rails', '~>3.2'
 gem 'rspec'
 gem 'rspec-rails'
 gem 'rspec_candy'
+gem 'haml', '=4.0.2'
 gem 'haml-rails', '=0.4'
 gem 'angular_xss', :path => '../..'

data/spec/rails-3.2/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: ../..
   specs:
-    angular_xss (0.1.0)
+    angular_xss (0.2.0)
       activesupport
-      haml
+      haml (>= 3.1.5)
 
 GEM
   remote: http://rubygems.org/
@@ -39,7 +39,7 @@ GEM
     builder (3.0.4)
     diff-lcs (1.2.5)
     erubis (2.7.0)
-    haml (4.0.4)
+    haml (4.0.2)
       tilt
     haml-rails (0.4)
       actionpack (>= 3.1, < 4.1)
@@ -120,6 +120,7 @@ PLATFORMS
 
 DEPENDENCIES
   angular_xss!
+  haml (= 4.0.2)
   haml-rails (= 0.4)
   rails (~> 3.2)
   rspec

data/spec/shared/app_root/app/views/test/_test_erb.erb

@@ -1,2 +1,19 @@
 <%= "{{unsafe}}" %>
 <%= "{{safe}}".html_safe %>
+
+{{safe}}
+
+<div foo="{{safe}}" bar="<%= '{{unsafe}}' %>">
+  {{safe}}
+</div>
+
+<%= '{&lcub;unsafe}}' %>
+<%= '{&lbrace;unsafe}}' %>
+<%= '{&#x7b;unsafe}}' %>
+<%= '{&#X7B;unsafe}}' %>
+<%= '{&#x000007b;unsafe}}' %>
+<%= '{&#x000000000007b;unsafe}}' %>
+<%= '{&#123;unsafe}}' %>
+<%= '{&#000000123;unsafe}}' %>
+<%= '{&#0000000000000123;unsafe}}' %>
+<%= '&lcub;&#x7b;unsafe}}' %>

data/spec/shared/app_root/app/views/test/_test_haml.haml

@@ -1,3 +1,23 @@
 = "{{unsafe}}"
 #{'{{unsafe}}'}
 = "{{safe}}".html_safe
+
+{{safe}}
+
+%div{:foo => '{{safe}}'.html_safe, :bar => '{{unsafe}}'}
+  {{safe}}
+
+-# We can't support Angular interpolations in class and id attributes.
+-# This is a limitation of Haml.
+%div{:class => '{{unsafe_id}}', :id => '{{unsafe_id}}'}
+
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'
+= '{{unsafe}}'

data/spec/shared/support/engine_preventing_angular_xss.rb

@@ -1,12 +1,75 @@
 shared_examples_for 'engine preventing Angular XSS' do
 
-  it 'escapes Angular interpolation marks iff a string is unsafe' do
-    engine = respond_to?(:view) ? view : template
-    html = engine.render(partial)
+  let(:engine) { respond_to?(:view) ? view : template }
+
+  let(:html) { engine.render(partial) }
+
+  it 'escapes Angular interpolation marks in unsafe strings' do
+    html.should_not include('{{unsafe}}')
+    html.should include(' { { unsafe}}')
+  end
+
+  it 'recognizes the many ways to express an opening curly brace in HTML' do
+
     html.should include(" { { unsafe}}")
     html.should_not include("{{unsafe}}")
+
+    braces = [
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{'
+    ]
+
+    braces.each do |brace1|
+      braces.each do |brace2|
+        html.should_not include("#{brace1}#{brace2}unsafe}}")
+      end
+    end
+
+  end
+
+  it 'does not escape Angular interpolation marks in safe strings' do
     html.should include("{{safe}}")
     html.should_not include(" { { safe}}")
   end
 
+  it 'does not escape Angular interpolation marks in a block where AngularXSS is disabled' do
+    result = nil
+    AngularXss.disable do
+      result = html
+    end
+
+    result.should include('{{unsafe}}')
+    result.should_not include(' { { unsafe}}')
+  end
+
+  it 'does escape Angular interpolation marks after the block where AngularXSS is disabled' do
+    AngularXss.disable do
+    end
+    result = html
+
+    result.should include(' { { unsafe}}')
+    result.should_not include('{{unsafe}}')
+  end
+
+  it 'is not confused by exceptions in disable blocks' do
+    class SomeException < StandardError; end
+
+    proc {
+      AngularXss.disable do
+        raise SomeException
+      end
+    }.should raise_error(SomeException)
+
+    html.should include(' { { unsafe}}')
+    html.should_not include('{{unsafe}}')
+  end
+
 end

metadata

@@ -1,65 +1,56 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: angular_xss
-version: !ruby/object:Gem::Version 
-  hash: 27
-  prerelease: 
-  segments: 
-  - 0
-  - 1
-  - 0
-  version: 0.1.0
+version: !ruby/object:Gem::Version
+  version: 0.2.0
 platform: ruby
-authors: 
+authors:
 - Henning Koch
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2014-01-03 00:00:00 +01:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2015-04-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activesupport
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: haml
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: haml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: 3.1.5
   type: :runtime
-  version_requirements: *id002
-description: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.5
+description: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped
+  in unsafe strings.
 email: henning.koch@makandra.de
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
-- .gitignore
+files:
+- ".gitignore"
+- ".travis.yml"
 - LICENSE
 - README.md
 - Rakefile
-- assignable_values.gemspec
+- angular_xss.gemspec
 - lib/angular_xss.rb
 - lib/angular_xss/erb.rb
 - lib/angular_xss/escaper.rb
@@ -111,41 +102,32 @@ files:
 - spec/shared/support/engine_preventing_angular_xss.rb
 - spec/shared/tests/erb_spec.rb
 - spec/shared/tests/haml_spec.rb
-has_rdoc: true
 homepage: https://github.com/makandra/angular_xss
-licenses: 
+licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.3.9.5
+rubygems_version: 2.2.2
 signing_key: 
-specification_version: 3
-summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.
-test_files: 
+specification_version: 4
+summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in
+  unsafe strings.
+test_files:
 - spec/rails-2.3/Gemfile
 - spec/rails-2.3/Gemfile.lock
 - spec/rails-2.3/Rakefile