angular_xss 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.travis.yml +15 -0
- data/README.md +22 -7
- data/{assignable_values.gemspec → angular_xss.gemspec} +1 -1
- data/lib/angular_xss/escaper.rb +34 -1
- data/lib/angular_xss/version.rb +1 -1
- data/spec/rails-2.3/Gemfile +3 -1
- data/spec/rails-2.3/Gemfile.lock +10 -4
- data/spec/rails-3.2/Gemfile +1 -0
- data/spec/rails-3.2/Gemfile.lock +4 -3
- data/spec/shared/app_root/app/views/test/_test_erb.erb +17 -0
- data/spec/shared/app_root/app/views/test/_test_haml.haml +20 -0
- data/spec/shared/support/engine_preventing_angular_xss.rb +66 -3
- metadata +50 -68
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: cca3cff1d32777a0e9ae8857bc136981cb61c359
|
4
|
+
data.tar.gz: 520d0d7d7122a4d630fca1d5a09d1f98f9ca1ef3
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: caf93d6ac6230f240914ba3bbed906c688435d7b4acd5ec925a55f5b13476c8b1fd4c1c9cf8b3641315ec8c3845cdff2b7c78c30f7ff7247d4f4b4f760b18601
|
7
|
+
data.tar.gz: 20b38f1cb2a45f52fb4083ada04e33c2c926ba62989e8f0651645e02ecd0da1df7d484e0eaaedc111ae18f866b1c179e43e9f2b9f5642181461b32ce89319268
|
data/.travis.yml
ADDED
data/README.md
CHANGED
@@ -1,11 +1,24 @@
|
|
1
|
-
angular_xss
|
1
|
+
angular_xss [![Build Status](https://travis-ci.org/makandra/angular_xss.png?branch=master)](https://travis-ci.org/makandra/angular_xss)
|
2
2
|
===========
|
3
3
|
|
4
4
|
When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`).
|
5
5
|
|
6
|
-
This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with ` { { `.
|
6
|
+
This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with ` { { `. To leave AngularJS interpolation marks unescaped, mark the string as `html_safe`.
|
7
7
|
|
8
|
-
**This is an unsatisfactory hack.** A better solution is very much desired, but
|
8
|
+
**This is an unsatisfactory hack.** A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
|
9
|
+
|
10
|
+
|
11
|
+
Disable escaping locally
|
12
|
+
------------------------
|
13
|
+
|
14
|
+
If you want to disable angular_xss in some part of your app, you can use
|
15
|
+
|
16
|
+
```
|
17
|
+
AngularXss.disable do
|
18
|
+
# no escaping here
|
19
|
+
end
|
20
|
+
# escaped again
|
21
|
+
```
|
9
22
|
|
10
23
|
|
11
24
|
Installation
|
@@ -15,7 +28,7 @@ Installation
|
|
15
28
|
|
16
29
|
1. Put this into your Gemfile **after other templating engines** like Haml or Erubis:
|
17
30
|
|
18
|
-
|
31
|
+
gem 'angular_xss' # put me after Haml, Erubis and other templating engines
|
19
32
|
|
20
33
|
2. Run `bundle install`.
|
21
34
|
|
@@ -24,9 +37,11 @@ Installation
|
|
24
37
|
4. Mark any string that is allowed to contain Angular expressions as `#html_safe`.
|
25
38
|
|
26
39
|
|
27
|
-
Known
|
28
|
-
|
29
|
-
- Requires Haml.
|
40
|
+
Known limitations
|
41
|
+
-----------------
|
42
|
+
- Requires Haml. It could be refactored to only patch ERB/rails_xss.
|
43
|
+
- When using Haml with angular_xss, you can no longer use interpolation symbols in `class` or `id` attributes,
|
44
|
+
even if the value is marked as `html_safe`. This is a limitation of Haml. Try using `ng-class` instead.
|
30
45
|
|
31
46
|
|
32
47
|
Development
|
data/lib/angular_xss/escaper.rb
CHANGED
@@ -1,8 +1,41 @@
|
|
1
1
|
module AngularXss
|
2
|
+
|
3
|
+
def self.disable(&block)
|
4
|
+
Escaper.disable(&block)
|
5
|
+
end
|
6
|
+
|
7
|
+
|
2
8
|
class Escaper
|
3
9
|
|
10
|
+
XSS_DISABLED_KEY = :_angular_xss_disabled
|
11
|
+
|
12
|
+
#BRACE = [
|
13
|
+
# '\\{',
|
14
|
+
# '{',
|
15
|
+
# '{',
|
16
|
+
# '�*7b;',
|
17
|
+
# '�*123;',
|
18
|
+
#]
|
19
|
+
#DOUBLE_BRACE_REGEXP = Regexp.new("(#{BRACE.join('|')})(#{BRACE.join('|')})", Regexp::IGNORECASE)
|
20
|
+
|
4
21
|
def self.escape(string)
|
5
|
-
|
22
|
+
if disabled?
|
23
|
+
string
|
24
|
+
else
|
25
|
+
string.gsub('{{', ' { { ')
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
def self.disabled?
|
30
|
+
!!Thread.current[XSS_DISABLED_KEY]
|
31
|
+
end
|
32
|
+
|
33
|
+
def self.disable
|
34
|
+
old_disabled = Thread.current[XSS_DISABLED_KEY]
|
35
|
+
Thread.current[XSS_DISABLED_KEY] = true
|
36
|
+
yield
|
37
|
+
ensure
|
38
|
+
Thread.current[XSS_DISABLED_KEY] = old_disabled
|
6
39
|
end
|
7
40
|
|
8
41
|
end
|
data/lib/angular_xss/version.rb
CHANGED
data/spec/rails-2.3/Gemfile
CHANGED
@@ -1,10 +1,12 @@
|
|
1
1
|
source 'http://rubygems.org'
|
2
2
|
|
3
3
|
gem 'sqlite3'
|
4
|
+
gem 'test-unit', '=1.2.3', :platforms => :ruby_19 # satisfy Travis CI
|
5
|
+
gem 'hoe', '=2.8.0', :platforms => :ruby_19 # satisfy Travis CI
|
4
6
|
gem 'rails', '~>2.3.10'
|
5
7
|
gem 'rspec', '<2'
|
6
8
|
gem 'rspec-rails', '<2'
|
7
9
|
gem 'rspec_candy'
|
8
|
-
gem 'haml', '=3.
|
10
|
+
gem 'haml', '=3.1.5'
|
9
11
|
gem 'rails_xss'
|
10
12
|
gem 'angular_xss', :path => '../..'
|
data/spec/rails-2.3/Gemfile.lock
CHANGED
@@ -1,9 +1,9 @@
|
|
1
1
|
PATH
|
2
2
|
remote: ../..
|
3
3
|
specs:
|
4
|
-
angular_xss (0.
|
4
|
+
angular_xss (0.2.0)
|
5
5
|
activesupport
|
6
|
-
haml
|
6
|
+
haml (>= 3.1.5)
|
7
7
|
|
8
8
|
GEM
|
9
9
|
remote: http://rubygems.org/
|
@@ -19,7 +19,9 @@ GEM
|
|
19
19
|
activesupport (= 2.3.18)
|
20
20
|
activesupport (2.3.18)
|
21
21
|
erubis (2.7.0)
|
22
|
-
haml (3.
|
22
|
+
haml (3.1.5)
|
23
|
+
hoe (2.8.0)
|
24
|
+
rake (>= 0.8.7)
|
23
25
|
rack (1.1.6)
|
24
26
|
rails (2.3.18)
|
25
27
|
actionmailer (= 2.3.18)
|
@@ -41,16 +43,20 @@ GEM
|
|
41
43
|
sneaky-save (0.0.2)
|
42
44
|
activerecord (>= 2.3.2)
|
43
45
|
sqlite3 (1.3.8)
|
46
|
+
test-unit (1.2.3)
|
47
|
+
hoe (>= 1.5.1)
|
44
48
|
|
45
49
|
PLATFORMS
|
46
50
|
ruby
|
47
51
|
|
48
52
|
DEPENDENCIES
|
49
53
|
angular_xss!
|
50
|
-
haml (= 3.
|
54
|
+
haml (= 3.1.5)
|
55
|
+
hoe (= 2.8.0)
|
51
56
|
rails (~> 2.3.10)
|
52
57
|
rails_xss
|
53
58
|
rspec (< 2)
|
54
59
|
rspec-rails (< 2)
|
55
60
|
rspec_candy
|
56
61
|
sqlite3
|
62
|
+
test-unit (= 1.2.3)
|
data/spec/rails-3.2/Gemfile
CHANGED
data/spec/rails-3.2/Gemfile.lock
CHANGED
@@ -1,9 +1,9 @@
|
|
1
1
|
PATH
|
2
2
|
remote: ../..
|
3
3
|
specs:
|
4
|
-
angular_xss (0.
|
4
|
+
angular_xss (0.2.0)
|
5
5
|
activesupport
|
6
|
-
haml
|
6
|
+
haml (>= 3.1.5)
|
7
7
|
|
8
8
|
GEM
|
9
9
|
remote: http://rubygems.org/
|
@@ -39,7 +39,7 @@ GEM
|
|
39
39
|
builder (3.0.4)
|
40
40
|
diff-lcs (1.2.5)
|
41
41
|
erubis (2.7.0)
|
42
|
-
haml (4.0.
|
42
|
+
haml (4.0.2)
|
43
43
|
tilt
|
44
44
|
haml-rails (0.4)
|
45
45
|
actionpack (>= 3.1, < 4.1)
|
@@ -120,6 +120,7 @@ PLATFORMS
|
|
120
120
|
|
121
121
|
DEPENDENCIES
|
122
122
|
angular_xss!
|
123
|
+
haml (= 4.0.2)
|
123
124
|
haml-rails (= 0.4)
|
124
125
|
rails (~> 3.2)
|
125
126
|
rspec
|
@@ -1,2 +1,19 @@
|
|
1
1
|
<%= "{{unsafe}}" %>
|
2
2
|
<%= "{{safe}}".html_safe %>
|
3
|
+
|
4
|
+
{{safe}}
|
5
|
+
|
6
|
+
<div foo="{{safe}}" bar="<%= '{{unsafe}}' %>">
|
7
|
+
{{safe}}
|
8
|
+
</div>
|
9
|
+
|
10
|
+
<%= '{{unsafe}}' %>
|
11
|
+
<%= '{{unsafe}}' %>
|
12
|
+
<%= '{{unsafe}}' %>
|
13
|
+
<%= '{{unsafe}}' %>
|
14
|
+
<%= '{{unsafe}}' %>
|
15
|
+
<%= '{{unsafe}}' %>
|
16
|
+
<%= '{{unsafe}}' %>
|
17
|
+
<%= '{{unsafe}}' %>
|
18
|
+
<%= '{{unsafe}}' %>
|
19
|
+
<%= '{{unsafe}}' %>
|
@@ -1,3 +1,23 @@
|
|
1
1
|
= "{{unsafe}}"
|
2
2
|
#{'{{unsafe}}'}
|
3
3
|
= "{{safe}}".html_safe
|
4
|
+
|
5
|
+
{{safe}}
|
6
|
+
|
7
|
+
%div{:foo => '{{safe}}'.html_safe, :bar => '{{unsafe}}'}
|
8
|
+
{{safe}}
|
9
|
+
|
10
|
+
-# We can't support Angular interpolations in class and id attributes.
|
11
|
+
-# This is a limitation of Haml.
|
12
|
+
%div{:class => '{{unsafe_id}}', :id => '{{unsafe_id}}'}
|
13
|
+
|
14
|
+
= '{{unsafe}}'
|
15
|
+
= '{{unsafe}}'
|
16
|
+
= '{{unsafe}}'
|
17
|
+
= '{{unsafe}}'
|
18
|
+
= '{{unsafe}}'
|
19
|
+
= '{{unsafe}}'
|
20
|
+
= '{{unsafe}}'
|
21
|
+
= '{{unsafe}}'
|
22
|
+
= '{{unsafe}}'
|
23
|
+
= '{{unsafe}}'
|
@@ -1,12 +1,75 @@
|
|
1
1
|
shared_examples_for 'engine preventing Angular XSS' do
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
|
3
|
+
let(:engine) { respond_to?(:view) ? view : template }
|
4
|
+
|
5
|
+
let(:html) { engine.render(partial) }
|
6
|
+
|
7
|
+
it 'escapes Angular interpolation marks in unsafe strings' do
|
8
|
+
html.should_not include('{{unsafe}}')
|
9
|
+
html.should include(' { { unsafe}}')
|
10
|
+
end
|
11
|
+
|
12
|
+
it 'recognizes the many ways to express an opening curly brace in HTML' do
|
13
|
+
|
6
14
|
html.should include(" { { unsafe}}")
|
7
15
|
html.should_not include("{{unsafe}}")
|
16
|
+
|
17
|
+
braces = [
|
18
|
+
'{',
|
19
|
+
'{',
|
20
|
+
'{',
|
21
|
+
'{',
|
22
|
+
'{',
|
23
|
+
'{',
|
24
|
+
'{',
|
25
|
+
'{',
|
26
|
+
'{',
|
27
|
+
'{'
|
28
|
+
]
|
29
|
+
|
30
|
+
braces.each do |brace1|
|
31
|
+
braces.each do |brace2|
|
32
|
+
html.should_not include("#{brace1}#{brace2}unsafe}}")
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
end
|
37
|
+
|
38
|
+
it 'does not escape Angular interpolation marks in safe strings' do
|
8
39
|
html.should include("{{safe}}")
|
9
40
|
html.should_not include(" { { safe}}")
|
10
41
|
end
|
11
42
|
|
43
|
+
it 'does not escape Angular interpolation marks in a block where AngularXSS is disabled' do
|
44
|
+
result = nil
|
45
|
+
AngularXss.disable do
|
46
|
+
result = html
|
47
|
+
end
|
48
|
+
|
49
|
+
result.should include('{{unsafe}}')
|
50
|
+
result.should_not include(' { { unsafe}}')
|
51
|
+
end
|
52
|
+
|
53
|
+
it 'does escape Angular interpolation marks after the block where AngularXSS is disabled' do
|
54
|
+
AngularXss.disable do
|
55
|
+
end
|
56
|
+
result = html
|
57
|
+
|
58
|
+
result.should include(' { { unsafe}}')
|
59
|
+
result.should_not include('{{unsafe}}')
|
60
|
+
end
|
61
|
+
|
62
|
+
it 'is not confused by exceptions in disable blocks' do
|
63
|
+
class SomeException < StandardError; end
|
64
|
+
|
65
|
+
proc {
|
66
|
+
AngularXss.disable do
|
67
|
+
raise SomeException
|
68
|
+
end
|
69
|
+
}.should raise_error(SomeException)
|
70
|
+
|
71
|
+
html.should include(' { { unsafe}}')
|
72
|
+
html.should_not include('{{unsafe}}')
|
73
|
+
end
|
74
|
+
|
12
75
|
end
|
metadata
CHANGED
@@ -1,65 +1,56 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: angular_xss
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
|
5
|
-
prerelease:
|
6
|
-
segments:
|
7
|
-
- 0
|
8
|
-
- 1
|
9
|
-
- 0
|
10
|
-
version: 0.1.0
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.2.0
|
11
5
|
platform: ruby
|
12
|
-
authors:
|
6
|
+
authors:
|
13
7
|
- Henning Koch
|
14
8
|
autorequire:
|
15
9
|
bindir: bin
|
16
10
|
cert_chain: []
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
dependencies:
|
21
|
-
- !ruby/object:Gem::Dependency
|
11
|
+
date: 2015-04-13 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
22
14
|
name: activesupport
|
23
|
-
|
24
|
-
|
25
|
-
none: false
|
26
|
-
requirements:
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
27
17
|
- - ">="
|
28
|
-
- !ruby/object:Gem::Version
|
29
|
-
|
30
|
-
segments:
|
31
|
-
- 0
|
32
|
-
version: "0"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '0'
|
33
20
|
type: :runtime
|
34
|
-
version_requirements: *id001
|
35
|
-
- !ruby/object:Gem::Dependency
|
36
|
-
name: haml
|
37
21
|
prerelease: false
|
38
|
-
|
39
|
-
|
40
|
-
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: haml
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
41
31
|
- - ">="
|
42
|
-
- !ruby/object:Gem::Version
|
43
|
-
|
44
|
-
segments:
|
45
|
-
- 0
|
46
|
-
version: "0"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: 3.1.5
|
47
34
|
type: :runtime
|
48
|
-
|
49
|
-
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: 3.1.5
|
41
|
+
description: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped
|
42
|
+
in unsafe strings.
|
50
43
|
email: henning.koch@makandra.de
|
51
44
|
executables: []
|
52
|
-
|
53
45
|
extensions: []
|
54
|
-
|
55
46
|
extra_rdoc_files: []
|
56
|
-
|
57
|
-
|
58
|
-
- .
|
47
|
+
files:
|
48
|
+
- ".gitignore"
|
49
|
+
- ".travis.yml"
|
59
50
|
- LICENSE
|
60
51
|
- README.md
|
61
52
|
- Rakefile
|
62
|
-
-
|
53
|
+
- angular_xss.gemspec
|
63
54
|
- lib/angular_xss.rb
|
64
55
|
- lib/angular_xss/erb.rb
|
65
56
|
- lib/angular_xss/escaper.rb
|
@@ -111,41 +102,32 @@ files:
|
|
111
102
|
- spec/shared/support/engine_preventing_angular_xss.rb
|
112
103
|
- spec/shared/tests/erb_spec.rb
|
113
104
|
- spec/shared/tests/haml_spec.rb
|
114
|
-
has_rdoc: true
|
115
105
|
homepage: https://github.com/makandra/angular_xss
|
116
|
-
licenses:
|
106
|
+
licenses:
|
117
107
|
- MIT
|
108
|
+
metadata: {}
|
118
109
|
post_install_message:
|
119
110
|
rdoc_options: []
|
120
|
-
|
121
|
-
require_paths:
|
111
|
+
require_paths:
|
122
112
|
- lib
|
123
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
124
|
-
|
125
|
-
requirements:
|
113
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
126
115
|
- - ">="
|
127
|
-
- !ruby/object:Gem::Version
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
version: "0"
|
132
|
-
required_rubygems_version: !ruby/object:Gem::Requirement
|
133
|
-
none: false
|
134
|
-
requirements:
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '0'
|
118
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
119
|
+
requirements:
|
135
120
|
- - ">="
|
136
|
-
- !ruby/object:Gem::Version
|
137
|
-
|
138
|
-
segments:
|
139
|
-
- 0
|
140
|
-
version: "0"
|
121
|
+
- !ruby/object:Gem::Version
|
122
|
+
version: '0'
|
141
123
|
requirements: []
|
142
|
-
|
143
124
|
rubyforge_project:
|
144
|
-
rubygems_version:
|
125
|
+
rubygems_version: 2.2.2
|
145
126
|
signing_key:
|
146
|
-
specification_version:
|
147
|
-
summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in
|
148
|
-
|
127
|
+
specification_version: 4
|
128
|
+
summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in
|
129
|
+
unsafe strings.
|
130
|
+
test_files:
|
149
131
|
- spec/rails-2.3/Gemfile
|
150
132
|
- spec/rails-2.3/Gemfile.lock
|
151
133
|
- spec/rails-2.3/Rakefile
|