From 62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a Mon Sep 17 00:00:00 2001 From: Richard Jones Date: Tue, 3 May 2016 15:51:49 +1000 Subject: [PATCH] Escape angularjs templating in unsafe HTML This code extends the unsafe (typically user-supplied) HTML escape built into Django to also escape angularjs templating markers. Safe HTML will be unaffected. Closes-bug: 1567673 Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7 --- horizon/utils/escape.py | 31 ++++++++++++++++++++++++++++ openstack_dashboard/settings.py | 3 +++ openstack_dashboard/test/settings.py | 6 ++++++ 3 files changed, 40 insertions(+) create mode 100644 horizon/utils/escape.py diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py new file mode 100644 index 000000000..6e275572c --- /dev/null +++ b/horizon/utils/escape.py @@ -0,0 +1,31 @@ +# Copyright 2016, Rackspace, US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import django.utils.html + + +def escape(text, existing=django.utils.html.escape): + # Replace our angular markup string with a different string + # (which just happens to be the Django comment string) + # this prevents user-supplied data from being intepreted in + # our pages by angularjs, thus preventing it from being used + # for XSS attacks. Note that we use {$ $} instead of the + # standard {{ }} - this is configured in horizon.framework + # angularjs module through $interpolateProvider. + return existing(text).replace('{$', '{%').replace('$}', '%}') + + +# this will be invoked as early as possible in settings.py +def monkeypatch_escape(): + django.utils.html.escape = escape diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py index 8e911329c..e96a4dff7 100644 --- a/openstack_dashboard/settings.py +++ b/openstack_dashboard/settings.py @@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa from openstack_dashboard import theme_settings +from horizon.utils.escape import monkeypatch_escape + +monkeypatch_escape() warnings.formatwarning = lambda message, category, *args, **kwargs: \ '%s: %s' % (category.__name__, message) diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py index 949fa7901..fee5aa0e2 100644 --- a/openstack_dashboard/test/settings.py +++ b/openstack_dashboard/test/settings.py @@ -18,6 +18,12 @@ from openstack_dashboard import exceptions from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +# this is used to protect from client XSS attacks, but it's worth +# enabling in our test setup to find any issues it might cause +monkeypatch_escape() + STATICFILES_DIRS = get_staticfiles_dirs() TEST_DIR = os.path.dirname(os.path.abspath(__file__))