Project

rails-angular-xss

0.01
Repository is archived
No commit activity in last 3 years
No release in over 3 years
rails-angular-xssopf/rails-angular-xssHomepageDocumentationSource Code
Patches rails_xss so AngularJS interpolations are auto-escaped in unsafe strings.Forked from https://github.com/makandra/angular_xss to remove HAML dependency
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
3,149
Stars
2
Forks
7
Watchers
7
 Releases
Current version
0.1.0
Total releases
1
First release
2016-06-18
Latest release
2016-06-18
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
1
Merged Pull Requests
1
Pull Request Acceptance Rate
50%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2015-05-21
Reverse Dependencies
0

 Dependencies

Runtime

rails
< 5.0, >= 4.2.0
 Project Readme

rails-angular-xss Build Status

When rendering AngularJS templates with a server-side templating engine like ERB it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are {{ and }}).

This gem patches ERB/rails_xss so AngularJS interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing {{ with {{ $root.DOUBLE_LEFT_CURLY_BRACE }}. To leave AngularJS interpolation marks unescaped, mark the string as html_safe.

This is an unsatisfactory hack. A better solution is very much desired, but is not possible without some changes in AngularJS. See the related AngularJS issue.

Requirements

  • Rails 5.0.x

Installation

  1. Read the code so you know what you're getting into.

  2. Put this into your Gemfile

     gem 'rails-angular-xss'

  3. Run bundle install.

  4. Important: Add $rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{' to your Angular app initialization.

  5. Run your test suite to find the places that broke.

  6. Mark any string that is allowed to contain Angular expressions as #html_safe.

How it works

This gem originally patched ERB::Util HTML_ESCAPE constants to replace any occurence of the string {{ with the replacement ``{{ DOUBLE_LEFT_CURLY_BRACE }}. This will be interpolated by Angular, **and assuming you've followed step 4. above**, Angular returns the interpolated string {{`.

This allows users to actually use {{ without it being transformed by some invisible spaces, unicode characaters that look like a curly bracket and so on.

With Rails 5.0., ERB::Util utilizes the native CGI.escapeHTML of Ruby 2.3, we thus have to patch ERB::Util and SafeBuffer to check for {{ additionally.

Development

  • Fork the repository.
  • Push your changes with specs. There is a Rails 5 test application in spec/app_root if you need to test integration with a live Rails app.
  • Send a pull request.

Credits

Oliver Günther from OpenProject.

Original plugin and code for Rails < 5 by

Henning Koch from makandra.