diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py new file mode 100644 index 000000000..6e275572c --- /dev/null +++ b/horizon/utils/escape.py @@ -0,0 +1,31 @@ +# Copyright 2016, Rackspace, US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import django.utils.html + + +def escape(text, existing=django.utils.html.escape): + # Replace our angular markup string with a different string + # (which just happens to be the Django comment string) + # this prevents user-supplied data from being intepreted in + # our pages by angularjs, thus preventing it from being used + # for XSS attacks. Note that we use {$ $} instead of the + # standard {{ }} - this is configured in horizon.framework + # angularjs module through $interpolateProvider. + return existing(text).replace('{$', '{%').replace('$}', '%}') + + +# this will be invoked as early as possible in settings.py +def monkeypatch_escape(): + django.utils.html.escape = escape diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py index 8e911329c..e96a4dff7 100644 --- a/openstack_dashboard/settings.py +++ b/openstack_dashboard/settings.py @@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa from openstack_dashboard import theme_settings +from horizon.utils.escape import monkeypatch_escape + +monkeypatch_escape() warnings.formatwarning = lambda message, category, *args, **kwargs: \ '%s: %s' % (category.__name__, message) diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py index 949fa7901..fee5aa0e2 100644 --- a/openstack_dashboard/test/settings.py +++ b/openstack_dashboard/test/settings.py @@ -18,6 +18,12 @@ from openstack_dashboard import exceptions from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +# this is used to protect from client XSS attacks, but it's worth +# enabling in our test setup to find any issues it might cause +monkeypatch_escape() + STATICFILES_DIRS = get_staticfiles_dirs() TEST_DIR = os.path.dirname(os.path.abspath(__file__))