Add our rails-angular-xss protection

Them gem patches Rails XSS protection methods with a replacement of `{{`
strings with `{{ DOUBLE_LEFT_CURLY_BRACE }} `.

`DOUBLE_LEFT_CURLY_BRACE` is defined by Angular to return `{{`, so we
actually do execute the interpolation, but only to return the original
string.

More information:

https://github.com/opf/rails-angular-xss
angular/angular.js#5601

Author: oliverguenther

Gemfile

@@ -95,6 +95,9 @@ gem 'rack-protection', git: 'https://github.com/finnlabs/rack-protection.git', r
 # https://github.com/kickstarter/rack-attack
 gem 'rack-attack'
 
+# Patch Rails HTML whitelisting for Angular curly braces
+gem 'rails-angular-xss', github: 'opf/rails-angular-xss'
+
 gem "syck", '~> 1.0.5', require: false
 gem 'gon', '~> 4.0'
 

Gemfile.lock

@@ -22,6 +22,13 @@ GIT
       hashie (>= 1.2, < 4)
       rack (>= 1.0, < 3)
 
+GIT
+  remote: git://github.com/opf/rails-angular-xss.git
+  revision: 11c068e623bbce09e35f41cf022d2204906e6a1f
+  specs:
+    rails-angular-xss (0.1.0)
+      rails (>= 4.2.0, < 5.0)
+
 GIT
   remote: git://github.com/why-el/svg-graph.git
   revision: e79abffa66639ab203d099250c5d2656a4ebf917
@@ -192,7 +199,7 @@ GEM
     coercible (1.0.0)
       descendants_tracker (~> 0.0.1)
     color-tools (1.3.0)
-    concurrent-ruby (1.0.1)
+    concurrent-ruby (1.0.2)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     crowdin-api (0.4.0)
@@ -319,13 +326,13 @@ GEM
       tilt
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     method_source (0.8.2)
     mime-types (2.99.2)
-    mini_portile2 (2.0.0)
+    mini_portile2 (2.1.0)
     minisyntax (0.2.5)
-    minitest (5.8.4)
+    minitest (5.9.0)
     mixlib-shellout (2.1.0)
     multi_json (1.11.3)
     multi_test (0.1.2)
@@ -334,8 +341,9 @@ GEM
     net-ldap (0.14.0)
     netrc (0.11.0)
     newrelic_rpm (3.15.0.314)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
+    nokogiri (1.6.8)
+      mini_portile2 (~> 2.1.0)
+      pkg-config (~> 1.1.7)
     oj (2.14.6)
     parallel (1.6.2)
     parallel_tests (2.4.1)
@@ -347,6 +355,7 @@ GEM
       rake (>= 0.8.1)
     pdf-core (0.6.1)
     pg (0.18.4)
+    pkg-config (1.1.7)
     poltergeist (1.9.0)
       capybara (~> 2.1)
       cliver (~> 0.3.1)
@@ -427,7 +436,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rainbow (2.1.0)
     raindrops (0.16.0)
-    rake (11.1.1)
+    rake (11.2.2)
     rb-readline (0.5.3)
     rdoc (4.2.2)
       json (~> 1.4)
@@ -646,6 +655,7 @@ DEPENDENCIES
   rack-test (~> 0.6.2)
   rack_session_access
   rails (~> 4.2.5)
+  rails-angular-xss!
   rails-observers
   rails_12factor
   rails_autolink (~> 1.1.6)

frontend/app/init-app.js

@@ -110,6 +110,11 @@ opApp
                KeyboardShortcutService) {
         $http.defaults.headers.common.Accept = 'application/json';
 
+        // Set the escaping target of opening double curly braces
+        // This is what returned by rails-angular-xss when it discoveres double open curly braces
+        // See https://github.com/opf/rails-angular-xss for more information.
+        $rootScope.DOUBLE_LEFT_CURLY_BRACE = '{{';
+
         $rootScope.showNavigation =
             $window.sessionStorage.getItem('openproject:navigation-toggle') !==
             'collapsed';