Escape angularjs templating in unsafe HTML

This code extends the unsafe (typically user-supplied) HTML escape built into Django to also escape angularjs templating markers. Safe HTML will be unaffected. Closes-bug: 1567673 Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
2016-05-03 15:51:49 +10:00 · 2016-05-03 15:51:49 +10:00 · 62b4e6f30a
commit 62b4e6f30a
parent 21dfd683de
3 changed files with 40 additions and 0 deletions
--- a/horizon/utils/escape.py
+++ b/horizon/utils/escape.py
@ -0,0 +1,31 @@
+# Copyright 2016, Rackspace, US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import django.utils.html
+
+
+def escape(text, existing=django.utils.html.escape):
+    # Replace our angular markup string with a different string
+    # (which just happens to be the Django comment string)
+    # this prevents user-supplied data from being intepreted in
+    # our pages by angularjs, thus preventing it from being used
+    # for XSS attacks. Note that we use {$ $} instead of the
+    # standard {{ }} - this is configured in horizon.framework
+    # angularjs module through $interpolateProvider.
+    return existing(text).replace('{$', '{%').replace('$}', '%}')
+
+
+# this will be invoked as early as possible in settings.py
+def monkeypatch_escape():
+    django.utils.html.escape = escape
--- a/openstack_dashboard/settings.py
+++ b/openstack_dashboard/settings.py
@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import find_static_files  # noqa
 from openstack_dashboard.static_settings import get_staticfiles_dirs  # noqa
 from openstack_dashboard import theme_settings

+from horizon.utils.escape import monkeypatch_escape
+
+monkeypatch_escape()

 warnings.formatwarning = lambda message, category, *args, **kwargs: \
    '%s: %s' % (category.__name__, message)
--- a/openstack_dashboard/test/settings.py
+++ b/openstack_dashboard/test/settings.py
@ -18,6 +18,12 @@ from openstack_dashboard import exceptions
 from openstack_dashboard.static_settings import find_static_files  # noqa
 from openstack_dashboard.static_settings import get_staticfiles_dirs  # noqa

+from horizon.utils.escape import monkeypatch_escape
+
+# this is used to protect from client XSS attacks, but it's worth
+# enabling in our test setup to find any issues it might cause
+monkeypatch_escape()
+
 STATICFILES_DIRS = get_staticfiles_dirs()

 TEST_DIR = os.path.dirname(os.path.abspath(__file__))