Skip to content
This repository has been archived by the owner on Jul 3, 2024. It is now read-only.
/ angular_xss Public archive

Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.

License

Notifications You must be signed in to change notification settings

makandra/angular_xss

Folders and files

NameName
Last commit message
Last commit date

Latest commit

5bc7887 Â· Jul 2, 2024

History

58 Commits
Jul 2, 2024
Jul 2, 2024
Jul 2, 2024
Jan 3, 2014
Nov 21, 2017
Feb 23, 2024
Jul 2, 2024
Aug 23, 2021
Aug 23, 2021
Jul 2, 2024
Jul 2, 2024
Feb 23, 2024
Jul 2, 2024
Feb 23, 2024
Jul 2, 2024
Feb 23, 2024
Jul 2, 2024
Feb 23, 2024
Jul 2, 2024
Feb 23, 2024
Jul 2, 2024
Feb 23, 2024
Jul 2, 2024
Jul 2, 2024
Jul 2, 2024
Jul 2, 2024
Jul 2, 2024
Jan 3, 2014
Jul 2, 2024
Nov 21, 2017
Feb 10, 2022

Repository files navigation

angular_xss Build Status

When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are {{ and }}).

This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing {{ with {{ $root.DOUBLE_LEFT_CURLY_BRACE }}. To leave AngularJS interpolation marks unescaped, mark the string as html_safe.

This is an unsatisfactory hack. A better solution is very much desired, but is not possible without some changes in AngularJS. See the related AngularJS issue.

🚧 Notice: unmaintained gem

We are no longer actively maintaining this gem.

The 1.0 release added support for HAML 6 and Rails 7.1, so the gem will at least support Rails 3.2 - 7.1 and HAML 4 - 6. angular_xss might still work for future versions HAML and Rails, but we won't actively ensure it does.

Disable escaping locally

If you want to disable angular_xss in some part of your app, you can use

AngularXss.disable do
  # no escaping here
end
# escaped again

Installation

  1. Read the code so you know what you're getting into.

  2. Put this into your Gemfile after other templating engines like Haml or Erubis:

     gem 'angular_xss' # put me after Haml, Erubis and other templating engines
    
  3. Run bundle install.

  4. Add this to your Angular code (replacing "myApp" of course):

    angular.module('myApp', []).run(['$rootScope', function($rootScope) {
      $rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{';
    }]);
    
  5. Run your test suite to find the places that broke.

  6. Mark any string that is allowed to contain Angular expressions as #html_safe.

Known limitations

  • Requires Haml. It could be refactored to only patch ERB/rails_xss.
  • When using Haml with angular_xss, you can no longer use interpolation symbols in class or id attributes, even if the value is marked as html_safe. This is a limitation of Haml. Try using ng-class instead.

Development

  • Fork the repository.
  • Prepare your changes, and ensure existing and new test are green:
    • bundle exec rake matrix:install installs all dependencies for all Gemfiles
    • bundle exec rake matrix:spec runs all specs in all configurations
    • You may run single tests with a specified Rails version via BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss
  • Push your changes with specs. There is a test application in spec/app_root if you need to test integration with a live Rails app.
  • Send a pull request.

Credits

Henning Koch from makandra.

About

Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.

Resources

License

Stars

Watchers

Forks

Packages

No packages published