rails-angular-xss
When rendering AngularJS templates with a server-side templating engine like ERB it is easy to introduce XSS vulnerabilities.
These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are {{
and }}
).
This gem patches ERB/rails_xss so AngularJS interpolation symbols are auto-escaped in unsafe strings.
And by auto-escaped we mean replacing {{
with {{ DOUBLE_LEFT_CURLY_BRACE }}
. To leave AngularJS interpolation marks unescaped, mark the string as html_safe
.
This is an unsatisfactory hack. A better solution is very much desired, but is not possible without some changes in AngularJS. See the related AngularJS issue.
Requirements
- Rails 4.2
Installation
Read the code so you know what you're getting into.
Put this into your Gemfile
gem 'angular_xss'
Run
bundle install
.Important: Add
$rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{'
to your Angular app initialization.Run your test suite to find the places that broke.
Mark any string that is allowed to contain Angular expressions as
#html_safe
.
How it works
This gem patches ERB.Util HTML_ESCAPE constants to replace any occurence of the string {{
with the replacement `{{ DOUBLE_LEFT_CURLY_BRACE }}
. This will be interpolated by Angular, and assuming you've followed step 4. above, Angular returns the interpolated string {{
.
This allows users to actually use {{
without it being transformed by some invisible spaces, unicode characaters that look like a curly bracket and so on.
Development
- Fork the repository.
- Push your changes with specs. There is a Rails 3 test application in
spec/app_root
if you need to test integration with a live Rails app. - Send a pull request.
Credits
Henning Koch from makandra.