Project

angular_xss

0.01
Repository is archived
Low commit activity in last 3 years
No release in over a year
angular_xssmakandra/angular_xssHomepageDocumentationSource CodeBug TrackerWiki
Patches rails_xss and Haml so AngularJS interpolations are auto-escaped in unsafe strings.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
78,017
Stars
5
Forks
7
Watchers
8
 Releases
Current version
1.0.0
Total releases
10
First release
2014-01-02
Latest release
2024-07-02
 Issues
Open Issues
0
Closed Issues
1
Total Issues
1
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
12
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2018-01-05
Reverse Dependencies
0

 Dependencies

Runtime

activesupport
>= 0
haml
>= 3.1.5
 Project Readme

angular_xss Build Status

When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are {{ and }}).

This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing {{ with {{ $root.DOUBLE_LEFT_CURLY_BRACE }}. To leave AngularJS interpolation marks unescaped, mark the string as html_safe.

This is an unsatisfactory hack. A better solution is very much desired, but is not possible without some changes in AngularJS. See the related AngularJS issue.

🚧 Notice: unmaintained gem

We are no longer actively maintaining this gem.

The 1.0 release added support for HAML 6 and Rails 7.1, so the gem will at least support Rails 3.2 - 7.1 and HAML 4 - 6. angular_xss might still work for future versions HAML and Rails, but we won't actively ensure it does.

Disable escaping locally

If you want to disable angular_xss in some part of your app, you can use

AngularXss.disable do
  # no escaping here
end
# escaped again

Installation

  1. Read the code so you know what you're getting into.

  2. Put this into your Gemfile after other templating engines like Haml or Erubis:

     gem 'angular_xss' # put me after Haml, Erubis and other templating engines

  3. Run bundle install.

  4. Add this to your Angular code (replacing "myApp" of course):

    angular.module('myApp', []).run(['$rootScope', function($rootScope) {
  $rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{';
}]);

  5. Run your test suite to find the places that broke.

  6. Mark any string that is allowed to contain Angular expressions as #html_safe.

Known limitations

  • Requires Haml. It could be refactored to only patch ERB/rails_xss.
  • When using Haml with angular_xss, you can no longer use interpolation symbols in class or id attributes, even if the value is marked as html_safe. This is a limitation of Haml. Try using ng-class instead.

Development

  • Fork the repository.
  • Prepare your changes, and ensure existing and new test are green:
    • bundle exec rake matrix:install installs all dependencies for all Gemfiles
    • bundle exec rake matrix:spec runs all specs in all configurations
    • You may run single tests with a specified Rails version via BUNDLE_GEMFILE=Gemfile.rails-7.0.haml-5 bundle exec rspec ./spec/angular_xss
  • Push your changes with specs. There is a test application in spec/app_root if you need to test integration with a live Rails app.
  • Send a pull request.

Credits

Henning Koch from makandra.