Escape angularjs templating in unsafe HTML

This code extends the unsafe (typically user-supplied) HTML escape
built into Django to also escape angularjs templating markers. Safe
HTML will be unaffected.

Closes-bug: 1567673
Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
(cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)

3 files changed, 40 insertions, 0 deletions

diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py
new file mode 100644
index 000000000..471a90f43
--- /dev/null
+++ b/horizon/utils/escape.py
@@ -0,0 +1,31 @@
+# Copyright 2016, Rackspace, US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import django.utils.html
+
+
+def escape(text, existing=django.utils.html.escape):
+    # Replace our angular markup string with a different string
+    # (which just happens to be the Django comment string)
+    # this prevents user-supplied data from being intepreted in
+    # our pages by angularjs, thus preventing it from being used
+    # for XSS attacks. Note that we use {$ $} instead of the
+    # standard {{ }} - this is configured in horizon.framework
+    # angularjs module through $interpolateProvider
+    return existing(text).replace('{$', '{%').replace('$}', '%}')
+
+
+# this will be invoked as early as possible in settings.py
+def monkeypatch_escape():
+    django.utils.html.escape = escape
diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py
index 5761a9158..803b079fa 100644
--- a/openstack_dashboard/settings.py
+++ b/openstack_dashboard/settings.py
@@ -28,6 +28,9 @@ from openstack_dashboard import exceptions
 from openstack_dashboard.static_settings import find_static_files  # noqa
 from openstack_dashboard.static_settings import get_staticfiles_dirs  # noqa
 
+from horizon.utils.escape import monkeypatch_escape
+
+monkeypatch_escape()
 
 warnings.formatwarning = lambda message, category, *args, **kwargs: \
     '%s: %s' % (category.__name__, message)
diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py
index 1926644d8..45f1d0621 100644
--- a/openstack_dashboard/test/settings.py
+++ b/openstack_dashboard/test/settings.py
@@ -18,6 +18,12 @@ from openstack_dashboard import exceptions
 from openstack_dashboard.static_settings import find_static_files  # noqa
 from openstack_dashboard.static_settings import get_staticfiles_dirs  # noqa
 
+from horizon.utils.escape import monkeypatch_escape
+
+# this is used to protect from client XSS attacks, but it's worth
+# enabling in our test setup to find any issues it might cause
+monkeypatch_escape()
+
 STATICFILES_DIRS = get_staticfiles_dirs()
 
 TEST_DIR = os.path.dirname(os.path.abspath(__file__))