--- /dev/null
+Description: Escape angularjs templating in unsafe HTML
+ This code extends the unsafe (typically user-supplied) HTML escape
+ built into Django to also escape angularjs templating markers. Safe
+ HTML will be unaffected.
+Author: Richard Jones <r1chardj0n3s@gmail.com>
+Origin: upstream, https://review.openstack.org/#/c/329998/
+Date: Tue, 3 May 2016 05:51:49 +0000 (+1000)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
+Bug-Ubuntu: https://launchpad.net/bugs/1567673
+Bug-Debian: https://bugs.debian.org/XXXXXX
+Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
+
+diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py
+new file mode 100644
+index 0000000..6e27557
+--- /dev/null
++++ b/horizon/utils/escape.py
+@@ -0,0 +1,31 @@
++# Copyright 2016, Rackspace, US, Inc.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++import django.utils.html
++
++
++def escape(text, existing=django.utils.html.escape):
++ # Replace our angular markup string with a different string
++ # (which just happens to be the Django comment string)
++ # this prevents user-supplied data from being intepreted in
++ # our pages by angularjs, thus preventing it from being used
++ # for XSS attacks. Note that we use {$ $} instead of the
++ # standard {{ }} - this is configured in horizon.framework
++ # angularjs module through $interpolateProvider.
++ return existing(text).replace('{$', '{%').replace('$}', '%}')
++
++
++# this will be invoked as early as possible in settings.py
++def monkeypatch_escape():
++ django.utils.html.escape = escape
+diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py
+index 8e91132..e96a4df 100644
+--- a/openstack_dashboard/settings.py
++++ b/openstack_dashboard/settings.py
+@@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import find_static_files # noqa
+ from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
+ from openstack_dashboard import theme_settings
+
++from horizon.utils.escape import monkeypatch_escape
++
++monkeypatch_escape()
+
+ warnings.formatwarning = lambda message, category, *args, **kwargs: \
+ '%s: %s' % (category.__name__, message)
+diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py
+index 949fa79..fee5aa0 100644
+--- a/openstack_dashboard/test/settings.py
++++ b/openstack_dashboard/test/settings.py
+@@ -18,6 +18,12 @@ from openstack_dashboard import exceptions
+ from openstack_dashboard.static_settings import find_static_files # noqa
+ from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
+
++from horizon.utils.escape import monkeypatch_escape
++
++# this is used to protect from client XSS attacks, but it's worth
++# enabling in our test setup to find any issues it might cause
++monkeypatch_escape()
++
+ STATICFILES_DIRS = get_staticfiles_dirs()
+
+ TEST_DIR = os.path.dirname(os.path.abspath(__file__))
Code Review / openstack-build / horizon-build.git / commitdiff