rails-angular-xss 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: bcd0f11ee1591adf59aa843bcacfa2d59852f04d
+  data.tar.gz: 7c2ce0a62786dcc9bee4af032ae90d67ae479581
+SHA512:
+  metadata.gz: cfb3985aa9f153fb40bee4d3acfd31da3244e131c6c155904156402d5f1298742d6bb3f6250828118bb9f4b2fbdc38507cd735965674429c01b79bd936c78ae1
+  data.tar.gz: 12479dffdaa8af83c6e2532c994cfad10b568daaf0c487ba4a11ea24b6ee77479a9f68db2d3c605c5983e4c1e4022d6524ce2bd31e37af6615871af7a59c25de

data/.gitignore

@@ -0,0 +1,5 @@
+doc
+pkg
+*.gem
+.idea
+spec/*/log/*

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+rvm:
+  - 2.1
+  - 2.2
+services:
+  - mysql
+script: rake travis:run
+branches:
+  only:
+    - master
+

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Henning Koch
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,55 @@
+rails-angular-xss [![Build Status](https://travis-ci.org/opf/rails-angular-xss.png?branch=master)](https://travis-ci.org/opf/rails-angular-xss)
+===========
+
+When rendering AngularJS templates with a server-side templating engine like ERB it is easy to introduce XSS vulnerabilities.
+These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`).
+
+This gem patches ERB/rails_xss so AngularJS interpolation symbols are auto-escaped in unsafe strings.
+And by auto-escaped we mean replacing `{{` with ` {{ DOUBLE_LEFT_CURLY_BRACE }}`. To leave AngularJS interpolation marks unescaped, mark the string as `html_safe`.
+
+**This is an unsatisfactory hack.**
+A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601).
+
+Requirements
+------------
+
+* Rails 4.2
+
+
+Installation
+------------
+
+0. Read the code so you know what you're getting into.
+
+1. Put this into your Gemfile
+
+        gem 'angular_xss'
+
+2. Run `bundle install`.
+
+4. **Important:** Add `$rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{'` to your Angular app initialization.
+
+5. Run your test suite to find the places that broke.
+
+6. Mark any string that is allowed to contain Angular expressions as `#html_safe`.
+
+How it works
+------------
+
+This gem patches ERB.Util HTML_ESCAPE constants to replace *any* occurence of the string `{{` with the replacement ``{{ DOUBLE_LEFT_CURLY_BRACE }}`. This will be interpolated by Angular, **and assuming you've followed step 4. above**, Angular returns the interpolated string `{{`.
+
+This allows users to actually use `{{` without it being transformed by some invisible spaces, unicode characaters that *look like*  a curly bracket and so on.
+
+
+Development
+-----------
+
+- Fork the repository.
+- Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app.
+- Send a pull request.
+
+
+Credits
+-------
+
+[Henning Koch](mailto:henning.koch@makandra.de) from [makandra](http://makandra.com/).

data/Rakefile

@@ -0,0 +1,55 @@
+require 'rake'
+require 'bundler/gem_tasks'
+
+desc 'Default: Run all specs.'
+task :default => 'all:spec'
+
+
+namespace :travis do
+  desc 'Run tests on Travis CI'
+  task :run => ['all:bundle:install', 'all:spec']
+end
+
+namespace :all do
+
+  desc "Run specs on all spec apps"
+  task :spec do
+    success = true
+    for_each_directory_of('spec/**/Rakefile') do |directory|
+      env = "SPEC=../../#{ENV['SPEC']} " if ENV['SPEC']
+      success &= system("cd #{directory} && #{env} bundle exec rake spec")
+    end
+    fail "Tests failed" unless success
+  end
+
+  namespace :bundle do
+
+    desc "Bundle all spec apps"
+    task :install do
+      for_each_directory_of('spec/**/Gemfile') do |directory|
+        Bundler.with_clean_env do
+          system("cd #{directory} && bundle install")
+        end
+      end
+    end
+
+    desc "Update all gems, or a list of gem given by the GEM environment variable"
+    task :update do
+      for_each_directory_of('spec/**/Gemfile') do |directory|
+        Bundler.with_clean_env do
+          system("cd #{directory} && bundle update #{ENV['GEM']}")
+        end
+      end
+    end
+
+  end
+
+end
+
+def for_each_directory_of(path, &block)
+  Dir[path].sort.each do |rakefile|
+    directory = File.dirname(rakefile)
+    puts '', "\033[44m#{directory}\033[0m", ''
+    block.call(directory)
+  end
+end

data/angular_xss.gemspec

@@ -0,0 +1,21 @@
+# encoding: UTF-8
+$:.push File.expand_path("../lib", __FILE__)
+require "rails/angular-xss/version"
+
+Gem::Specification.new do |s|
+  s.name = 'rails-angular-xss'
+  s.version = Rails::AngularXss::VERSION
+  s.authors = ["Oliver Günther", "Henning Koch"]
+  s.email = 'o.guenther@openproject.com'
+  s.homepage = 'https://github.com/opf/rails-angular-xss'
+  s.summary = 'Patches rails_xss so AngularJS interpolations are auto-escaped in unsafe strings.' \
+              'Forked from https://github.com/makandra/angular_xss to remove HAML dependency'
+  s.description = s.summary
+  s.license = 'MIT'
+
+  s.files         = `git ls-files`.split($\)
+  s.test_files    = s.files.grep(%r{^spec/})
+  s.require_paths = ["lib"]
+
+  s.add_runtime_dependency 'rails', '>= 4.2.0', '< 5.0'
+end

data/lib/rails-angular-xss.rb

@@ -0,0 +1 @@
+require 'rails/angular-xss'

data/lib/rails/angular-xss.rb

@@ -0,0 +1,28 @@
+require 'erb'
+
+module Rails
+  module AngularXSS
+
+  def self.redef_without_warning(const, value, expected: nil)
+    old_value = ERB::Util.const_get(const)
+    if expected &&  old_value != expected
+      raise "Trying to patch constant #{const}, but expected values have changed." \
+            "#{old_value} != #{expected}"
+    end
+
+    ERB::Util.send(:remove_const, const)
+    ERB::Util.send(:const_set, const, value)
+  end
+
+  redef_without_warning 'HTML_ESCAPE',
+                        ERB::Util::HTML_ESCAPE.merge('{{' => '{{ DOUBLE_LEFT_CURLY_BRACE }}')
+
+  redef_without_warning 'HTML_ESCAPE_REGEXP',
+                        /[&"'><]|\{\{/,
+                        expected: /[&"'><]/
+
+  redef_without_warning 'HTML_ESCAPE_ONCE_REGEXP',
+                        /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)|\{\{/,
+                        expected: /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
+  end
+end

data/lib/rails/angular-xss/version.rb

@@ -0,0 +1,5 @@
+module Rails
+  module AngularXss
+    VERSION = '0.1.0'
+  end
+end

data/spec/rails-4.2/.rspec

@@ -0,0 +1,2 @@
+--colour
+--format progress

data/spec/rails-4.2/Gemfile

@@ -0,0 +1,8 @@
+source 'http://rubygems.org'
+
+gem 'sqlite3'
+gem 'rails', '~>4.2'
+gem 'rspec'
+gem 'rspec-rails'
+gem 'rspec_candy'
+gem 'rails-angular-xss', :path => '../..'

data/spec/rails-4.2/Gemfile.lock

@@ -0,0 +1,140 @@
+PATH
+  remote: ../..
+  specs:
+    rails-angular-xss (0.1.0)
+      rails (>= 4.2.0, < 5.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.1)
+      actionview (= 4.2.1)
+      activesupport (= 4.2.1)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    actionview (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    activejob (4.2.1)
+      activesupport (= 4.2.1)
+      globalid (>= 0.3.0)
+    activemodel (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+    activerecord (4.2.1)
+      activemodel (= 4.2.1)
+      activesupport (= 4.2.1)
+      arel (~> 6.0)
+    activesupport (4.2.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    arel (6.0.0)
+    builder (3.2.2)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
+    globalid (0.3.5)
+      activesupport (>= 4.1.0)
+    i18n (0.7.0)
+    json (1.8.2)
+    loofah (2.0.1)
+      nokogiri (>= 1.5.9)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
+    minitest (5.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    rack (1.6.0)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails (4.2.1)
+      actionmailer (= 4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      activemodel (= 4.2.1)
+      activerecord (= 4.2.1)
+      activesupport (= 4.2.1)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.2.1)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.6)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    railties (4.2.1)
+      actionpack (= 4.2.1)
+      activesupport (= 4.2.1)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.4.2)
+    rspec (3.2.0)
+      rspec-core (~> 3.2.0)
+      rspec-expectations (~> 3.2.0)
+      rspec-mocks (~> 3.2.0)
+    rspec-core (3.2.3)
+      rspec-support (~> 3.2.0)
+    rspec-expectations (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-mocks (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-rails (3.2.1)
+      actionpack (>= 3.0, < 4.3)
+      activesupport (>= 3.0, < 4.3)
+      railties (>= 3.0, < 4.3)
+      rspec-core (~> 3.2.0)
+      rspec-expectations (~> 3.2.0)
+      rspec-mocks (~> 3.2.0)
+      rspec-support (~> 3.2.0)
+    rspec-support (3.2.2)
+    rspec_candy (0.4.0)
+      rspec
+      sneaky-save
+    sneaky-save (0.1.0)
+      activerecord (>= 3.2.0)
+    sprockets (3.0.1)
+      rack (~> 1.0)
+    sprockets-rails (2.2.4)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rails (~> 4.2)
+  rails-angular-xss!
+  rspec
+  rspec-rails
+  rspec_candy
+  sqlite3
+
+BUNDLED WITH
+   1.11.2

data/spec/rails-4.2/Rakefile

@@ -0,0 +1,10 @@
+require 'rake'
+require 'rspec/core/rake_task'
+
+desc 'Default: Run all specs for a specific rails version.'
+task :default => :spec
+
+desc "Run all specs for a specific rails version"
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.pattern = defined?(SPEC) ? SPEC : ['**/*_spec.rb', '../shared/**/*_spec.rb']
+end

data/spec/rails-4.2/app_root/.gitignore

@@ -0,0 +1,4 @@
+.bundle
+db/*.sqlite3
+log/*.log
+tmp/**/*

data/spec/rails-4.2/app_root/config/application.rb

@@ -0,0 +1,34 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'rails/all'
+
+# If you have a Gemfile, require the gems listed there, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(:default, Rails.env) if defined?(Bundler)
+
+
+module SpecApp
+  class Application < Rails::Application
+    config.encoding = "utf-8"
+
+    config.cache_classes = true
+    config.whiny_nils = true
+
+    config.eager_load = false
+
+    config.consider_all_requests_local       = true
+    config.action_controller.perform_caching = false
+
+    config.action_dispatch.show_exceptions = false
+
+    config.action_controller.allow_forgery_protection    = false
+
+    config.action_mailer.delivery_method = :test
+
+    config.active_support.deprecation = :stderr
+
+    config.root = File.expand_path('../..', __FILE__)
+
+    # railties.plugins << Rails::Plugin.new(File.expand_path('../../../../..', __FILE__))
+  end
+end

data/spec/rails-4.2/app_root/config/boot.rb

@@ -0,0 +1,13 @@
+require 'rubygems'
+
+# Set up gems listed in the Gemfile.
+gemfile = File.expand_path('../../Gemfile', __FILE__)
+begin
+  ENV['BUNDLE_GEMFILE'] = gemfile
+  require 'bundler'
+  Bundler.setup
+rescue Bundler::GemNotFound => e
+  STDERR.puts e.message
+  STDERR.puts "Try running `bundle install`."
+  exit!
+end if File.exist?(gemfile)

data/spec/rails-4.2/app_root/config/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"
+  verbosity: quiet

data/spec/rails-4.2/app_root/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+SpecApp::Application.initialize!

data/spec/rails-4.2/app_root/config/environments/test.rb

@@ -0,0 +1,35 @@
+SpecApp::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # The test environment is used exclusively to run your application's
+  # test suite.  You never need to work with it otherwise.  Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs.  Don't rely on the data there!
+  config.cache_classes = true
+
+  # Log error messages when you accidentally call methods on nil.
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment
+  config.action_controller.allow_forgery_protection    = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Use SQL instead of Active Record's schema dumper when creating the test database.
+  # This is necessary if your schema can't be completely dumped by the schema dumper,
+  # like if you have constraints or database-specific column types
+  # config.active_record.schema_format = :sql
+
+  # Print deprecation notices to the stderr
+  config.active_support.deprecation = :stderr
+end

data/spec/rails-4.2/app_root/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/spec/rails-4.2/app_root/config/initializers/inflections.rb

@@ -0,0 +1,10 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format
+# (all these examples are active by default):
+# ActiveSupport::Inflector.inflections do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end

data/spec/rails-4.2/app_root/config/initializers/mime_types.rb

@@ -0,0 +1,5 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf
+# Mime::Type.register_alias "text/html", :iphone

data/spec/rails-4.2/app_root/config/initializers/secret_token.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+SpecApp::Application.config.secret_key_base = 'cb014a08a45243e7143f31e04774c342c1fba329fd594ae1a480d8283b1a851f425dc08044311fb4be6d000b6e6681de7c76d19148419a5ffa0a9f84556d3b33'

data/spec/rails-4.2/app_root/config/initializers/session_store.rb

@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+SpecApp::Application.config.session_store :cookie_store, :key => '_app_root_session'
+
+# Use the database for sessions instead of the cookie-based default,
+# which shouldn't be used to store highly confidential information
+# (create the session table with "rails generate session_migration")
+# SpecApp::Application.config.session_store :active_record_store

data/spec/rails-4.2/app_root/config/routes.rb

@@ -0,0 +1,3 @@
+SpecApp::Application.routes.draw do
+  get ':controller(/:action(/:id(.:format)))'
+end

data/spec/rails-4.2/app_root/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby1.8
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/spec/rails-4.2/rcov.opts

@@ -0,0 +1,2 @@
+--exclude "spec/*,gems/*"
+--rails

data/spec/rails-4.2/spec/spec_helper.rb

@@ -0,0 +1,27 @@
+$: << File.join(File.dirname(__FILE__), "/../../lib" )
+
+ENV['RAILS_ENV'] = 'test'
+ENV['RAILS_ROOT'] = 'app_root'
+
+# Load the Rails environment and testing framework
+require "#{File.dirname(__FILE__)}/../app_root/config/environment"
+require 'rspec/rails'
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+require 'rspec_candy/all'
+
+# Run the migrations
+print "\033[30m" # dark gray text
+ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate")
+print "\033[0m"
+
+RSpec.configure do |config|
+  config.use_transactional_fixtures = true
+  config.use_instantiated_fixtures  = false
+
+  config.mock_with :rspec do |c|
+    c.syntax = [:should, :expect]
+  end
+  config.expect_with :rspec do |c|
+    c.syntax = [:should, :expect]
+  end
+end

data/spec/shared/app_root/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/spec/shared/app_root/app/helpers/application_helper.rb

@@ -0,0 +1,3 @@
+module ApplicationHelper
+
+end

data/spec/shared/app_root/app/views/test/_test_erb.erb

@@ -0,0 +1,22 @@
+<%= "{{unsafe}}" %>
+<%= "{{safe}}".html_safe %>
+
+{{safe}}
+
+<div foo="{{safe}}" bar="<%= '{{unsafe}}' %>">
+  {{safe}}
+</div>
+
+<%= content_tag(:span, '{{unsafe}}') %>
+<%= content_tag(:span, '{{safe}}'.html_safe) %>
+
+<%= '{&lcub;unsafe}}' %>
+<%= '{&lbrace;unsafe}}' %>
+<%= '{&#x7b;unsafe}}' %>
+<%= '{&#X7B;unsafe}}' %>
+<%= '{&#x000007b;unsafe}}' %>
+<%= '{&#x000000000007b;unsafe}}' %>
+<%= '{&#123;unsafe}}' %>
+<%= '{&#000000123;unsafe}}' %>
+<%= '{&#0000000000000123;unsafe}}' %>
+<%= '&lcub;&#x7b;unsafe}}' %>

data/spec/shared/app_root/config/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ":memory:"
+  verbosity: quiet

data/spec/shared/support/engine_preventing_angular_xss.rb

@@ -0,0 +1,42 @@
+shared_examples_for 'engine preventing Angular XSS' do
+
+  let(:engine) { respond_to?(:view) ? view : template }
+
+  let(:html) { engine.render(partial) }
+
+  it 'escapes Angular interpolation marks in unsafe strings' do
+    html.should_not include('{{unsafe}}')
+    html.should include('{{ DOUBLE_LEFT_CURLY_BRACE }}unsafe}}')
+  end
+
+  it 'recognizes the many ways to express an opening curly brace in HTML' do
+ 
+    html.should include("{{ DOUBLE_LEFT_CURLY_BRACE }}unsafe}}")
+    html.should_not include("{{unsafe}}")
+
+    braces = [
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{',
+     '{'
+    ]
+
+    braces.each do |brace1|
+      braces.each do |brace2|
+        html.should_not include("#{brace1}#{brace2}unsafe}}")
+      end
+    end
+
+  end
+
+  it 'does not escape Angular interpolation marks in safe strings' do
+    html.should include("{{safe}}")
+    html.should_not include("{{ DOUBLE_LEFT_CURLY_BRACE }}safe}}")
+  end
+end

data/spec/shared/tests/erb_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe 'Angular XSS prevention in ERB', :type => :view do
+
+  it_should_act_like 'engine preventing Angular XSS', :partial => 'test/test_erb'
+
+end

data/spec/shared/tests/safe_buffer_spec.rb

@@ -0,0 +1,9 @@
+require 'spec_helper'
+
+describe ActiveSupport::SafeBuffer do
+
+  it 'still allows concatting nil' do
+    expect { subject << nil }.to_not raise_error
+  end
+
+end

metadata

@@ -0,0 +1,136 @@
+--- !ruby/object:Gem::Specification
+name: rails-angular-xss
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Oliver Günther
+- Henning Koch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-06-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+description: Patches rails_xss so AngularJS interpolations are auto-escaped in unsafe
+  strings.Forked from https://github.com/makandra/angular_xss to remove HAML dependency
+email: o.guenther@openproject.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- LICENSE
+- README.md
+- Rakefile
+- angular_xss.gemspec
+- lib/rails-angular-xss.rb
+- lib/rails/angular-xss.rb
+- lib/rails/angular-xss/version.rb
+- spec/rails-4.2/.rspec
+- spec/rails-4.2/Gemfile
+- spec/rails-4.2/Gemfile.lock
+- spec/rails-4.2/Rakefile
+- spec/rails-4.2/app_root/.gitignore
+- spec/rails-4.2/app_root/config/application.rb
+- spec/rails-4.2/app_root/config/boot.rb
+- spec/rails-4.2/app_root/config/database.yml
+- spec/rails-4.2/app_root/config/environment.rb
+- spec/rails-4.2/app_root/config/environments/test.rb
+- spec/rails-4.2/app_root/config/initializers/backtrace_silencers.rb
+- spec/rails-4.2/app_root/config/initializers/inflections.rb
+- spec/rails-4.2/app_root/config/initializers/mime_types.rb
+- spec/rails-4.2/app_root/config/initializers/secret_token.rb
+- spec/rails-4.2/app_root/config/initializers/session_store.rb
+- spec/rails-4.2/app_root/config/routes.rb
+- spec/rails-4.2/app_root/lib/tasks/.gitkeep
+- spec/rails-4.2/app_root/log/.gitkeep
+- spec/rails-4.2/app_root/script/rails
+- spec/rails-4.2/rcov.opts
+- spec/rails-4.2/spec/spec_helper.rb
+- spec/shared/app_root/app/controllers/application_controller.rb
+- spec/shared/app_root/app/helpers/application_helper.rb
+- spec/shared/app_root/app/models/.gitkeep
+- spec/shared/app_root/app/views/test/_test_erb.erb
+- spec/shared/app_root/config/database.yml
+- spec/shared/app_root/db/migrate/.gitkeep
+- spec/shared/support/engine_preventing_angular_xss.rb
+- spec/shared/tests/erb_spec.rb
+- spec/shared/tests/safe_buffer_spec.rb
+homepage: https://github.com/opf/rails-angular-xss
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Patches rails_xss so AngularJS interpolations are auto-escaped in unsafe
+  strings.Forked from https://github.com/makandra/angular_xss to remove HAML dependency
+test_files:
+- spec/rails-4.2/.rspec
+- spec/rails-4.2/Gemfile
+- spec/rails-4.2/Gemfile.lock
+- spec/rails-4.2/Rakefile
+- spec/rails-4.2/app_root/.gitignore
+- spec/rails-4.2/app_root/config/application.rb
+- spec/rails-4.2/app_root/config/boot.rb
+- spec/rails-4.2/app_root/config/database.yml
+- spec/rails-4.2/app_root/config/environment.rb
+- spec/rails-4.2/app_root/config/environments/test.rb
+- spec/rails-4.2/app_root/config/initializers/backtrace_silencers.rb
+- spec/rails-4.2/app_root/config/initializers/inflections.rb
+- spec/rails-4.2/app_root/config/initializers/mime_types.rb
+- spec/rails-4.2/app_root/config/initializers/secret_token.rb
+- spec/rails-4.2/app_root/config/initializers/session_store.rb
+- spec/rails-4.2/app_root/config/routes.rb
+- spec/rails-4.2/app_root/lib/tasks/.gitkeep
+- spec/rails-4.2/app_root/log/.gitkeep
+- spec/rails-4.2/app_root/script/rails
+- spec/rails-4.2/rcov.opts
+- spec/rails-4.2/spec/spec_helper.rb
+- spec/shared/app_root/app/controllers/application_controller.rb
+- spec/shared/app_root/app/helpers/application_helper.rb
+- spec/shared/app_root/app/models/.gitkeep
+- spec/shared/app_root/app/views/test/_test_erb.erb
+- spec/shared/app_root/config/database.yml
+- spec/shared/app_root/db/migrate/.gitkeep
+- spec/shared/support/engine_preventing_angular_xss.rb
+- spec/shared/tests/erb_spec.rb
+- spec/shared/tests/safe_buffer_spec.rb
+has_rdoc: