When rendering AngularJS templates with a server-side templating engine like ERB it is easy to introduce XSS vulnerabilities.
These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are {{
and }}
).
This gem patches ERB/rails_xss so AngularJS interpolation symbols are auto-escaped in unsafe strings.
And by auto-escaped we mean replacing {{
with {{ $root.DOUBLE_LEFT_CURLY_BRACE }}
. To leave AngularJS interpolation marks unescaped, mark the string as html_safe
.
This is an unsatisfactory hack. A better solution is very much desired, but is not possible without some changes in AngularJS. See the related AngularJS issue.
Requirements
- Rails 5.0.x
Installation
-
Read the code so you know what you're getting into.
-
Put this into your Gemfile
gem 'rails-angular-xss'
-
Run
bundle install
. -
Important: Add
$rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{'
to your Angular app initialization. -
Run your test suite to find the places that broke.
-
Mark any string that is allowed to contain Angular expressions as
#html_safe
.
How it works
This gem originally patched ERB::Util HTML_ESCAPE constants to replace any occurence of the string {{
with the replacement ``{{ DOUBLE_LEFT_CURLY_BRACE }}. This will be interpolated by Angular, **and assuming you've followed step 4. above**, Angular returns the interpolated string
{{`.
This allows users to actually use {{
without it being transformed by some invisible spaces, unicode characaters that look like a curly bracket and so on.
With Rails 5.0., ERB::Util
utilizes the native CGI.escapeHTML
of Ruby 2.3, we thus have to patch ERB::Util
and SafeBuffer
to check for {{
additionally.
Development
- Fork the repository.
- Push your changes with specs. There is a Rails 5 test application in
spec/app_root
if you need to test integration with a live Rails app. - Send a pull request.
Credits
Oliver Günther from OpenProject.
Original plugin and code for Rails < 5 by
Henning Koch from makandra.