angular_xss [![Build Status](https://travis-ci.org/makandra/angular_xss.png?branch=master)](https://travis-ci.org/makandra/angular_xss) =========== When rendering AngularJS templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are `{{` and `}}`). This gem patches ERB/rails_xss and Haml so Angular interpolation symbols are auto-escaped in unsafe strings. And by auto-escaped we mean replacing `{{` with ` { { `. To leave AngularJS interpolation marks unescaped, mark the string as `html_safe`. **This is an unsatisfactory hack.** A better solution is very much desired, but is not possible without some changes in AngularJS. See the [related AngularJS issue](https://github.com/angular/angular.js/issues/5601). Disable escaping locally ------------------------ If you want to disable angular_xss in some part of your app, you can use ``` AngularXss.disable do # no escaping here end # escaped again ``` Installation ------------ 0. Read the code so you know what you're getting into. 1. Put this into your Gemfile **after other templating engines** like Haml or Erubis: gem 'angular_xss' # put me after Haml, Erubis and other templating engines 2. Run `bundle install`. 3. Run your test suite to find the places that broke. 4. Mark any string that is allowed to contain Angular expressions as `#html_safe`. Known limitations ----------------- - Requires Haml. It could be refactored to only patch ERB/rails_xss. - When using Haml with angular_xss, you can no longer use interpolation symbols in `class` or `id` attributes, even if the value is marked as `html_safe`. This is a limitation of Haml. Try using `ng-class` instead. Development ----------- - Fork the repository. - Push your changes with specs. There is a Rails 3 test application in `spec/app_root` if you need to test integration with a live Rails app. - Send a pull request. Credits ------- [Henning Koch](mailto:henning.koch@makandra.de) from [makandra](http://makandra.com/).