Patch taken from https://review.openstack.org/329997 (Liberty) and
slightly modified to adjust for gpatch fuzz for application to Kilo.
From d585e5eb9acf92d10d39b6c2038917a7e8ac71bb Mon Sep 17 00:00:00 2001
From: Richard Jones <r1chardj0n3s@gmail.com>
Date: Tue, 3 May 2016 15:51:49 +1000
Subject: [PATCH] Escape angularjs templating in unsafe HTML
This code extends the unsafe (typically user-supplied) HTML escape
built into Django to also escape angularjs templating markers. Safe
HTML will be unaffected.
Closes-bug: 1567673
Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
(cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)
---
horizon/utils/escape.py | 31 +++++++++++++++++++++++++++++++
openstack_dashboard/settings.py | 3 +++
openstack_dashboard/test/settings.py | 6 ++++++
3 files changed, 40 insertions(+)
create mode 100644 horizon/utils/escape.py
new file mode 100644
index 0000000..471a90f
--- /dev/null
@@ -0,0 +1,31 @@
+# Copyright 2016, Rackspace, US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import django.utils.html
+
+
+def escape(text, existing=django.utils.html.escape):
+ # Replace our angular markup string with a different string
+ # (which just happens to be the Django comment string)
+ # this prevents user-supplied data from being intepreted in
+ # our pages by angularjs, thus preventing it from being used
+ # for XSS attacks. Note that we use {$ $} instead of the
+ # standard {{ }} - this is configured in horizon.framework
+ # angularjs module through $interpolateProvider
+ return existing(text).replace('{$', '{%').replace('$}', '%}')
+
+
+# this will be invoked as early as possible in settings.py
+def monkeypatch_escape():
+ django.utils.html.escape = escape
index 5761a91..803b079 100644
@@ -27,6 +27,9 @@ from openstack_dashboard import exceptions
from openstack_dashboard import exceptions
from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
+from horizon.utils.escape import monkeypatch_escape
+
+monkeypatch_escape()
warnings.formatwarning = lambda message, category, *args, **kwargs: \
'%s: %s' % (category.__name__, message)
index 1926644..45f1d06 100644
@@ -17,6 +17,12 @@ from openstack_dashboard import exceptions
from openstack_dashboard import exceptions
from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
+from horizon.utils.escape import monkeypatch_escape
+
+# this is used to protect from client XSS attacks, but it's worth
+# enabling in our test setup to find any issues it might cause
+monkeypatch_escape()
+
STATICFILES_DIRS = get_staticfiles_dirs()
TEST_DIR = os.path.dirname(os.path.abspath(__file__))
--
1.9.1