angular_xss 0.2.3 → 0.3.0

data/README.md

@@ -3,7 +3,7 @@ angular_xss [![Build Status](https://travis-ci.org/makandra/angular_xss.png?bran
 
 When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`).
 
-This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with ` { { `. To leave AngularJS interpolation marks unescaped, mark the string as `html_safe`.
+This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with `{{ $root.DOUBLE_LEFT_CURLY_BRACE }}`. To leave AngularJS interpolation marks unescaped, mark the string as `html_safe`.
 
 **This is an unsatisfactory hack.** A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
 
@@ -32,9 +32,17 @@ Installation
 
 2. Run `bundle install`.
 
-3. Run your test suite to find the places that broke.
+3. Add this to your Angular code (replacing "myApp" of course):
 
-4. Mark any string that is allowed to contain Angular expressions as `#html_safe`.
+   ```
+   angular.module('myApp', []).run(['$rootScope', function($rootScope) {
+     $rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{';
+   }]);
+   ```
+
+4. Run your test suite to find the places that broke.
+
+5. Mark any string that is allowed to contain Angular expressions as `#html_safe`.
 
 
 Known limitations

data/lib/angular_xss/escaper.rb

@@ -23,7 +23,7 @@ module AngularXss
       if disabled?
         string
       else
-        string.gsub('{{', ' { { ')
+        string.to_s.gsub('{{'.freeze, '{{ $root.DOUBLE_LEFT_CURLY_BRACE }}'.freeze)
       end
     end
 
@@ -41,4 +41,3 @@ module AngularXss
 
   end
 end
-

data/lib/angular_xss/version.rb

@@ -1,3 +1,3 @@
 module AngularXss
-  VERSION = '0.2.3'
+  VERSION = '0.3.0'
 end

data/spec/rails-2.3/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../..
   specs:
-    angular_xss (0.2.3)
+    angular_xss (0.3.0)
       activesupport
       haml (>= 3.1.5)
 

data/spec/rails-3.2/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../..
   specs:
-    angular_xss (0.2.3)
+    angular_xss (0.3.0)
       activesupport
       haml (>= 3.1.5)
 

data/spec/rails-4.2/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../..
   specs:
-    angular_xss (0.2.3)
+    angular_xss (0.3.0)
       activesupport
       haml (>= 3.1.5)
 

data/spec/shared/support/engine_preventing_angular_xss.rb

@@ -6,12 +6,12 @@ shared_examples_for 'engine preventing Angular XSS' do
 
   it 'escapes Angular interpolation marks in unsafe strings' do
     html.should_not include('{{unsafe}}')
-    html.should include(' { { unsafe}}')
+    html.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
   end
 
   it 'recognizes the many ways to express an opening curly brace in HTML' do
 
-    html.should include(" { { unsafe}}")
+    html.should include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
     html.should_not include("{{unsafe}}")
 
     braces = [
@@ -37,7 +37,7 @@ shared_examples_for 'engine preventing Angular XSS' do
 
   it 'does not escape Angular interpolation marks in safe strings' do
     html.should include("{{safe}}")
-    html.should_not include(" { { safe}}")
+    html.should_not include("{{ $root.DOUBLE_LEFT_CURLY_BRACE }}safe}}")
   end
 
   it 'does not escape Angular interpolation marks in a block where AngularXSS is disabled' do
@@ -47,7 +47,7 @@ shared_examples_for 'engine preventing Angular XSS' do
     end
 
     result.should include('{{unsafe}}')
-    result.should_not include(' { { unsafe}}')
+    result.should_not include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
   end
 
   it 'does escape Angular interpolation marks after the block where AngularXSS is disabled' do
@@ -55,7 +55,7 @@ shared_examples_for 'engine preventing Angular XSS' do
     end
     result = html
 
-    result.should include(' { { unsafe}}')
+    result.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
     result.should_not include('{{unsafe}}')
   end
 
@@ -68,7 +68,7 @@ shared_examples_for 'engine preventing Angular XSS' do
       end
     }.should raise_error(SomeException)
 
-    html.should include(' { { unsafe}}')
+    html.should include('{{ $root.DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
     html.should_not include('{{unsafe}}')
   end
 

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: angular_xss
 version: !ruby/object:Gem::Version 
-  hash: 17
+  hash: 19
   prerelease: 
   segments: 
   - 0
-  - 2
   - 3
-  version: 0.2.3
+  - 0
+  version: 0.3.0
 platform: ruby
 authors: 
 - Henning Koch
@@ -15,8 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2015-04-17 00:00:00 +02:00
-default_executable: 
+date: 2017-07-31 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -138,7 +137,6 @@ files:
 - spec/shared/tests/erb_spec.rb
 - spec/shared/tests/haml_spec.rb
 - spec/shared/tests/safe_buffer_spec.rb
-has_rdoc: true
 homepage: https://github.com/makandra/angular_xss
 licenses: 
 - MIT
@@ -168,7 +166,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.6.2
+rubygems_version: 1.8.30
 signing_key: 
 specification_version: 3
 summary: Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.
@@ -241,3 +239,4 @@ test_files:
 - spec/shared/tests/erb_spec.rb
 - spec/shared/tests/haml_spec.rb
 - spec/shared/tests/safe_buffer_spec.rb
+has_rdoc: