diff options
author | Richard Jones <r1chardj0n3s@gmail.com> | 2016-05-03 15:51:49 +1000 |
---|---|---|
committer | Tristan Cacqueray <tdecacqu@redhat.com> | 2016-06-15 11:02:55 -0400 |
commit | d585e5eb9acf92d10d39b6c2038917a7e8ac71bb (patch) | |
tree | cf9c1f01835ede8df720720a72fa607b47539acb | |
parent | 68c0fd068dd46d54bedf7daf95903dcba5aaf24a (diff) | |
download | horizon-d585e5eb9acf92d10d39b6c2038917a7e8ac71bb.tar.gz |
Escape angularjs templating in unsafe HTML
This code extends the unsafe (typically user-supplied) HTML escape
built into Django to also escape angularjs templating markers. Safe
HTML will be unaffected.
Closes-bug: 1567673
Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
(cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)
-rw-r--r-- | horizon/utils/escape.py | 31 | ||||
-rw-r--r-- | openstack_dashboard/settings.py | 3 | ||||
-rw-r--r-- | openstack_dashboard/test/settings.py | 6 |
3 files changed, 40 insertions, 0 deletions
diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py new file mode 100644 index 000000000..471a90f43 --- /dev/null +++ b/horizon/utils/escape.py @@ -0,0 +1,31 @@ +# Copyright 2016, Rackspace, US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import django.utils.html + + +def escape(text, existing=django.utils.html.escape): + # Replace our angular markup string with a different string + # (which just happens to be the Django comment string) + # this prevents user-supplied data from being intepreted in + # our pages by angularjs, thus preventing it from being used + # for XSS attacks. Note that we use {$ $} instead of the + # standard {{ }} - this is configured in horizon.framework + # angularjs module through $interpolateProvider + return existing(text).replace('{$', '{%').replace('$}', '%}') + + +# this will be invoked as early as possible in settings.py +def monkeypatch_escape(): + django.utils.html.escape = escape diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py index 5761a9158..803b079fa 100644 --- a/openstack_dashboard/settings.py +++ b/openstack_dashboard/settings.py @@ -28,6 +28,9 @@ from openstack_dashboard import exceptions from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +monkeypatch_escape() warnings.formatwarning = lambda message, category, *args, **kwargs: \ '%s: %s' % (category.__name__, message) diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py index 1926644d8..45f1d0621 100644 --- a/openstack_dashboard/test/settings.py +++ b/openstack_dashboard/test/settings.py @@ -18,6 +18,12 @@ from openstack_dashboard import exceptions from openstack_dashboard.static_settings import find_static_files # noqa from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa +from horizon.utils.escape import monkeypatch_escape + +# this is used to protect from client XSS attacks, but it's worth +# enabling in our test setup to find any issues it might cause +monkeypatch_escape() + STATICFILES_DIRS = get_staticfiles_dirs() TEST_DIR = os.path.dirname(os.path.abspath(__file__)) |