Escape angularjs templating in unsafe HTML

This code extends the unsafe (typically user-supplied) HTML escape
built into Django to also escape angularjs templating markers. Safe
HTML will be unaffected.

Closes-bug: 1567673
Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
(cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)
This commit is contained in:
Richard Jones 2016-05-03 15:51:49 +10:00 committed by Tristan Cacqueray
parent e2944ec843
commit fc8d705604
3 changed files with 40 additions and 0 deletions

31
horizon/utils/escape.py Normal file
View File

@ -0,0 +1,31 @@
# Copyright 2016, Rackspace, US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import django.utils.html
def escape(text, existing=django.utils.html.escape):
# Replace our angular markup string with a different string
# (which just happens to be the Django comment string)
# this prevents user-supplied data from being intepreted in
# our pages by angularjs, thus preventing it from being used
# for XSS attacks. Note that we use {$ $} instead of the
# standard {{ }} - this is configured in horizon.framework
# angularjs module through $interpolateProvider.
return existing(text).replace('{$', '{%').replace('$}', '%}')
# this will be invoked as early as possible in settings.py
def monkeypatch_escape():
django.utils.html.escape = escape

View File

@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import find_static_files # noqa
from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
from openstack_dashboard import theme_settings
from horizon.utils.escape import monkeypatch_escape
monkeypatch_escape()
warnings.formatwarning = lambda message, category, *args, **kwargs: \
'%s: %s' % (category.__name__, message)

View File

@ -18,6 +18,12 @@ from openstack_dashboard import exceptions
from openstack_dashboard.static_settings import find_static_files # noqa
from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
from horizon.utils.escape import monkeypatch_escape
# this is used to protect from client XSS attacks, but it's worth
# enabling in our test setup to find any issues it might cause
monkeypatch_escape()
STATICFILES_DIRS = get_staticfiles_dirs()
TEST_DIR = os.path.dirname(os.path.abspath(__file__))