6458N/APatch taken from https://review.openstack.org/329997 (Liberty) and
6458N/Aslightly modified to adjust for gpatch fuzz for application to Kilo.
6458N/A
6458N/AFrom d585e5eb9acf92d10d39b6c2038917a7e8ac71bb Mon Sep 17 00:00:00 2001
6458N/AFrom: Richard Jones <r1chardj0n3s@gmail.com>
6458N/ADate: Tue, 3 May 2016 15:51:49 +1000
6458N/ASubject: [PATCH] Escape angularjs templating in unsafe HTML
6458N/A
6458N/AThis code extends the unsafe (typically user-supplied) HTML escape
6458N/Abuilt into Django to also escape angularjs templating markers. Safe
6458N/AHTML will be unaffected.
6458N/A
6458N/ACloses-bug: 1567673
6458N/AChange-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
6458N/A(cherry picked from commit 4bc01cedf39cdeff2553d01cdace707a1ecf6620)
6458N/A---
6458N/A horizon/utils/escape.py | 31 +++++++++++++++++++++++++++++++
6458N/A openstack_dashboard/settings.py | 3 +++
6458N/A openstack_dashboard/test/settings.py | 6 ++++++
6458N/A 3 files changed, 40 insertions(+)
6458N/A create mode 100644 horizon/utils/escape.py
6458N/A
6458N/Adiff --git a/horizon/utils/escape.py b/horizon/utils/escape.py
6458N/Anew file mode 100644
6458N/Aindex 0000000..471a90f
6458N/A--- /dev/null
6458N/A+++ b/horizon/utils/escape.py
6458N/A@@ -0,0 +1,31 @@
6458N/A+# Copyright 2016, Rackspace, US, Inc.
6458N/A+#
6458N/A+# Licensed under the Apache License, Version 2.0 (the "License");
6458N/A+# you may not use this file except in compliance with the License.
6458N/A+# You may obtain a copy of the License at
6458N/A+#
6458N/A+# http://www.apache.org/licenses/LICENSE-2.0
6458N/A+#
6458N/A+# Unless required by applicable law or agreed to in writing, software
6458N/A+# distributed under the License is distributed on an "AS IS" BASIS,
6458N/A+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
6458N/A+# See the License for the specific language governing permissions and
6458N/A+# limitations under the License.
6458N/A+
6458N/A+import django.utils.html
6458N/A+
6458N/A+
6458N/A+def escape(text, existing=django.utils.html.escape):
6458N/A+ # Replace our angular markup string with a different string
6458N/A+ # (which just happens to be the Django comment string)
6458N/A+ # this prevents user-supplied data from being intepreted in
6458N/A+ # our pages by angularjs, thus preventing it from being used
6458N/A+ # for XSS attacks. Note that we use {$ $} instead of the
6458N/A+ # standard {{ }} - this is configured in horizon.framework
6458N/A+ # angularjs module through $interpolateProvider
6458N/A+ return existing(text).replace('{$', '{%').replace('$}', '%}')
6458N/A+
6458N/A+
6458N/A+# this will be invoked as early as possible in settings.py
6458N/A+def monkeypatch_escape():
6458N/A+ django.utils.html.escape = escape
6458N/Adiff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py
6458N/Aindex 5761a91..803b079 100644
6458N/A--- a/openstack_dashboard/settings.py
6458N/A+++ b/openstack_dashboard/settings.py
6458N/A@@ -27,6 +27,9 @@ from openstack_dashboard import exceptions
6458N/A from openstack_dashboard import exceptions
6458N/A from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
6458N/A
6458N/A+from horizon.utils.escape import monkeypatch_escape
6458N/A+
6458N/A+monkeypatch_escape()
6458N/A
6458N/A warnings.formatwarning = lambda message, category, *args, **kwargs: \
6458N/A '%s: %s' % (category.__name__, message)
6458N/Adiff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py
6458N/Aindex 1926644..45f1d06 100644
6458N/A--- a/openstack_dashboard/test/settings.py
6458N/A+++ b/openstack_dashboard/test/settings.py
6458N/A@@ -17,6 +17,12 @@ from openstack_dashboard import exceptions
6458N/A from openstack_dashboard import exceptions
6458N/A from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
6458N/A
6458N/A+from horizon.utils.escape import monkeypatch_escape
6458N/A+
6458N/A+# this is used to protect from client XSS attacks, but it's worth
6458N/A+# enabling in our test setup to find any issues it might cause
6458N/A+monkeypatch_escape()
6458N/A+
6458N/A STATICFILES_DIRS = get_staticfiles_dirs()
6458N/A
6458N/A TEST_DIR = os.path.dirname(os.path.abspath(__file__))
6458N/A--
6458N/A1.9.1
6458N/A
6458N/A