Skip to content

E
edx-platform
Commit 005bee8f by Mushtaq Ali
Options

Make templates safer

parent 4f71e263
Showing with 72 additions and 33 deletions
cms/templates/export.html
<%page expression_filter="h"/>
<%inherit file="base.html" /> <%inherit file="base.html" />
<%def name="online_help_token()"> <%def name="online_help_token()">
<% <%
...@@ -11,6 +12,7 @@ else: ...@@ -11,6 +12,7 @@ else:
<%! <%!
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from openedx.core.djangolib.markup import HTML, Text
from openedx.core.djangolib.js_utils import ( from openedx.core.djangolib.js_utils import (
dump_js_escaped_json, js_escaped_string dump_js_escaped_json, js_escaped_string
) )
...@@ -73,7 +75,10 @@ else: ...@@ -73,7 +75,10 @@ else:
<p>${_("You can export courses and edit them outside of {studio_name}. The exported file is a .tar.gz file (that is, a .tar file compressed with GNU Zip) that contains the course structure and content. You can also re-import courses that you've exported.").format( <p>${_("You can export courses and edit them outside of {studio_name}. The exported file is a .tar.gz file (that is, a .tar file compressed with GNU Zip) that contains the course structure and content. You can also re-import courses that you've exported.").format(
studio_name=settings.STUDIO_SHORT_NAME studio_name=settings.STUDIO_SHORT_NAME
)}</p> )}</p>
<p>${_("{em_start}Caution:{em_end} When you export a course, information such as MATLAB API keys, LTI passports, annotation secret token strings, and annotation storage URLs are included in the exported data. If you share your exported files, you may also be sharing sensitive or license-specific information.").format(em_start='<strong>', em_end="</strong>")}</p> <p>${Text(_("{em_start}Caution:{em_end} When you export a course, information such as MATLAB API keys, LTI passports, annotation secret token strings, and annotation storage URLs are included in the exported data. If you share your exported files, you may also be sharing sensitive or license-specific information.")).format(
em_start=HTML('<strong>'),
em_end=HTML("</strong>")
)}</p>
</div> </div>
%endif %endif
</div> </div>
...@@ -103,7 +108,11 @@ else: ...@@ -103,7 +108,11 @@ else:
%if not library: %if not library:
<div class="export-contents"> <div class="export-contents">
<div class="export-includes"> <div class="export-includes">
<h3 class="title-3">${_("Data {em_start}exported with{em_end} your course:").format(em_start='<strong>', em_end="</strong>")}</h3> <h3 class="title-3">
${Text(_("Data {em_start}exported with{em_end} your course:")).format(
em_start=HTML('<strong>'),
em_end=HTML("</strong>")
)}</h3>
<ul class="list-details list-export-includes"> <ul class="list-details list-export-includes">
<li class="item-detail">${_("Values from Advanced Settings, including MATLAB API keys and LTI passports")}</li> <li class="item-detail">${_("Values from Advanced Settings, including MATLAB API keys and LTI passports")}</li>
<li class="item-detail">${_("Course Content (all Sections, Sub-sections, and Units)")}</li> <li class="item-detail">${_("Course Content (all Sections, Sub-sections, and Units)")}</li>
...@@ -116,7 +125,11 @@ else: ...@@ -116,7 +125,11 @@ else:
</div> </div>
<div class="export-excludes"> <div class="export-excludes">
<h3 class="title-3">${_("Data {em_start}not exported{em_end} with your course:").format(em_start='<strong>', em_end="</strong>")}</h3> <h3 class="title-3">
${Text(_("Data {em_start}not exported{em_end} with your course:")).format(
em_start=HTML('<strong>'),
em_end=HTML("</strong>")
)}</h3>
<ul class="list-details list-export-excludes"> <ul class="list-details list-export-excludes">
<li class="item-detail">${_("User Data")}</li> <li class="item-detail">${_("User Data")}</li>
<li class="item-detail">${_("Course Team Data")}</li> <li class="item-detail">${_("Course Team Data")}</li>
......
cms/templates/export_git.html
<%page expression_filter="h"/>
<%inherit file="base.html" /> <%inherit file="base.html" />
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
...@@ -38,7 +39,7 @@ ...@@ -38,7 +39,7 @@
% else: % else:
<ul class="list-actions"> <ul class="list-actions">
<li class="item-action"> <li class="item-action">
<a class="action action-export-git"" action-primary" href="${reverse('export_git', kwargs=dict(course_key_string=unicode(context_course.id)))}?action=push"> <a class="action action-export-git action-primary" href="${reverse('export_git', kwargs=dict(course_key_string=unicode(context_course.id)))}?action=push">
<i class="icon fa fa-arrow-circle-o-down"></i> <i class="icon fa fa-arrow-circle-o-down"></i>
<span class="copy">${_("Export to Git")}</span> <span class="copy">${_("Export to Git")}</span>
</a> </a>
...@@ -53,14 +54,14 @@ ...@@ -53,14 +54,14 @@
% else: % else:
<h3>${_('Export Succeeded')}:</h3> <h3>${_('Export Succeeded')}:</h3>
% endif % endif
<pre>${msg|h}</pre> <pre>${msg}</pre>
% endif % endif
</div> </div>
</article> </article>
<aside class="content-supplementary" role="complementary"> <aside class="content-supplementary" role="complementary">
<dl class="export-git-info-block"> <dl class="export-git-info-block">
<dt>${_("Your course:")}</dt> <dt>${_("Your course:")}</dt>
<dd class="course_text">${context_course.id | h}</dd> <dd class="course_text">${context_course.id}</dd>
<dt>${_("Course git url:")}</dt> <dt>${_("Course git url:")}</dt>
<dd class="giturl_text">${context_course.giturl}</dd> <dd class="giturl_text">${context_course.giturl}</dd>
</dl> </dl>
......
cms/templates/howitworks.html
<%page expression_filter="h"/>
<%inherit file="base.html" /> <%inherit file="base.html" />
<%def name="online_help_token()"><% return "welcome" %></%def> <%def name="online_help_token()"><% return "welcome" %></%def>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<%! <%!
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from openedx.core.djangolib.markup import HTML, Text
%> %>
<%block name="title">${_("Welcome")}</%block> <%block name="title">${_("Welcome")}</%block>
...@@ -15,10 +17,8 @@ ...@@ -15,10 +17,8 @@
<section class="content content-header"> <section class="content content-header">
<header> <header>
<h1><span class="wrapper-text-welcome">${_("Welcome to {studio_name}").format( <h1><span class="wrapper-text-welcome">${_("Welcome to {studio_name}").format(
studio_name=u'</span><span class="logo">{studio_name}</span>'.format(
studio_name=settings.STUDIO_NAME studio_name=settings.STUDIO_NAME
) )}</span></h1>
)}</h1>
<p class="tagline">${_("{studio_name} helps manage your online courses, so you can focus on teaching them").format( <p class="tagline">${_("{studio_name} helps manage your online courses, so you can focus on teaching them").format(
studio_name=settings.STUDIO_SHORT_NAME studio_name=settings.STUDIO_SHORT_NAME
)}</p> )}</p>
...@@ -46,12 +46,20 @@ ...@@ -46,12 +46,20 @@
<div class="copy"> <div class="copy">
<h3>${_("Keeping Your Course Organized")}</h3> <h3>${_("Keeping Your Course Organized")}</h3>
<p>${_("The backbone of your course is how it is organized. {studio_name} offers an <strong>Outline</strong> editor, providing a simple hierarchy and easy drag and drop to help you and your students stay organized.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p> <p>${Text(_("The backbone of your course is how it is organized. {studio_name} offers an {strong_start}Outline{strong_end} editor, providing a simple hierarchy and easy drag and drop to help you and your students stay organized.")).format(
studio_name=settings.STUDIO_SHORT_NAME,
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
<ul class="list-proofpoints"> <ul class="list-proofpoints">
<li class="proofpoint"> <li class="proofpoint">
<h4 class="title">${_("Simple Organization For Content")}</h4> <h4 class="title">${_("Simple Organization For Content")}</h4>
<p>${_("{studio_name} uses a simple hierarchy of <strong>sections</strong> and <strong>subsections</strong> to organize your content.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p> <p>${Text(_("{studio_name} uses a simple hierarchy of {strong_start}sections{strong_end} and {strong_start}subsections{strong_end} to organize your content.")).format(
studio_name=settings.STUDIO_SHORT_NAME,
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
</li> </li>
<li class="proofpoint"> <li class="proofpoint">
...@@ -61,7 +69,10 @@ ...@@ -61,7 +69,10 @@
<li class="proofpoint"> <li class="proofpoint">
<h4 class="title">${_("Go A Week Or A Semester At A Time")}</h4> <h4 class="title">${_("Go A Week Or A Semester At A Time")}</h4>
<p>${_("Build and release <strong>sections</strong> to your students incrementally. You don't have to have it all done at once.")}</p> <p>${Text(_("Build and release {strong_start}sections{strong_end} to your students incrementally. You don't have to have it all done at once.")).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
</li> </li>
</ul> </ul>
</div> </div>
...@@ -124,7 +135,11 @@ ...@@ -124,7 +135,11 @@
<li class="proofpoint"> <li class="proofpoint">
<h4 class="title">${_("Release-On Date Publishing")}</h4> <h4 class="title">${_("Release-On Date Publishing")}</h4>
<p>${_("When you've finished a <strong>section</strong>, pick when you want it to go live and {studio_name} takes care of the rest. Build your course incrementally.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p> <p>${Text(_("When you've finished a {strong_start}section{strong_end}, pick when you want it to go live and {studio_name} takes care of the rest. Build your course incrementally.")).format(
studio_name=settings.STUDIO_SHORT_NAME,
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
</li> </li>
<li class="proofpoint"> <li class="proofpoint">
...@@ -146,7 +161,7 @@ ...@@ -146,7 +161,7 @@
<ul class="list-actions"> <ul class="list-actions">
<li class="action-item"> <li class="action-item">
<a href="${reverse('signup')}" class="action action-primary">${_("Sign Up &amp; Start Making an {platform_name} Course").format(platform_name=settings.PLATFORM_NAME)}</a> <a href="${reverse('signup')}" class="action action-primary">${_("Sign Up & Start Making Your {platform_name} Course").format(platform_name=settings.PLATFORM_NAME)}</a>
</li> </li>
<li class="action-item"> <li class="action-item">
<a href="${reverse('login')}" class="action action-secondary">${_("Already have a {studio_name} Account? Sign In").format(studio_name=settings.STUDIO_SHORT_NAME)}</a> <a href="${reverse('login')}" class="action action-secondary">${_("Already have a {studio_name} Account? Sign In").format(studio_name=settings.STUDIO_SHORT_NAME)}</a>
...@@ -159,7 +174,7 @@ ...@@ -159,7 +174,7 @@
<h3 class="title">${_("Outlining Your Course")}</h3> <h3 class="title">${_("Outlining Your Course")}</h3>
<figure> <figure>
<img src="${static.url("images/hiw-feature1.png")}" alt="" /> <img src="${static.url("images/hiw-feature1.png")}" alt="" />
<figcaption class="description">${_("Simple two-level outline to organize your couse. Drag and drop, and see your course at a glance.")}</figcaption> <figcaption class="description">${_("Simple two-level outline to organize your course. Drag and drop, and see your course at a glance.")}</figcaption>
</figure> </figure>
<a href="" rel="view" class="action action-modal-close"> <a href="" rel="view" class="action action-modal-close">
......
cms/templates/js/basic-modal.underscore
<div class="wrapper wrapper-modal-window wrapper-modal-window-<%= name %>" <div class="wrapper wrapper-modal-window wrapper-modal-window-<%- name %>"
aria-labelledby="modal-window-title" aria-labelledby="modal-window-title"
role="dialog"> role="dialog">
<div class="modal-window-overlay"></div> <div class="modal-window-overlay"></div>
<div class="modal-window <%= viewSpecificClasses %> modal-<%= size %> modal-type-<%= type %>" tabindex="-1" aria-labelledby="modal-window-title"> <div class="modal-window <%- viewSpecificClasses %> modal-<%- size %> modal-type-<%- type %>" tabindex="-1" aria-labelledby="modal-window-title">
<div class="<%= name %>-modal"> <div class="<%- name %>-modal">
<div class="modal-header"> <div class="modal-header">
<h2 id="modal-window-title" class="title modal-window-title"><%= title %></h2> <h2 id="modal-window-title" class="title modal-window-title"><%- title %></h2>
<ul class="editor-modes action-list action-modes"> <ul class="editor-modes action-list action-modes">
</ul> </ul>
</div> </div>
<div class="modal-content"> <div class="modal-content">
</div> </div>
<div class="modal-actions"> <div class="modal-actions">
<h3 class="sr"><%= gettext("Actions") %></h3> <h3 class="sr"><%- gettext("Actions") %></h3>
<ul></ul> <ul></ul>
</div> </div>
</div> </div>
......
cms/templates/js/modal-button.underscore
<li class="action-item"> <li class="action-item">
<a href="#" class="button <%= isPrimary ? 'action-primary' : '' %> action-<%= type %>"><%= name %></a> <a href="#" class="button <%- isPrimary ? 'action-primary' : '' %> action-<%- type %>"><%- name %></a>
</li> </li>
cms/templates/js/upload-dialog.underscore
<form class="upload-dialog" method="POST" action="<%= url %>" enctype="multipart/form-data"> <form class="upload-dialog" method="POST" action="<%- url %>" enctype="multipart/form-data">
<p id="dialog-assetupload-description" class="message"><%= message %></p> <p id="dialog-assetupload-description" class="message"><%- message %></p>
<input type="file" name="file" <% if(error && error.attributes && error.attributes.selectedFile) {%>class="error"<% } %> /> <input type="file" name="file" <% if(error && error.attributes && error.attributes.selectedFile) {%>class="error"<% } %> />
<div class="status-upload"> <div class="status-upload">
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
<% if(uploading) { %> <% if(uploading) { %>
<div class="wrapper-progress"> <div class="wrapper-progress">
<% if (uploadedBytes && totalBytes) { %> <% if (uploadedBytes && totalBytes) { %>
<progress value="<%= uploadedBytes %>" max="<%= totalBytes %>"><%= uploadedBytes/totalBytes*100 %>%</progress> <progress value="<%- uploadedBytes %>" max="<%- totalBytes %>"><%- uploadedBytes/totalBytes*100 %>%</progress>
<% } else { %> <% } else { %>
<progress></progress> <progress></progress>
<% } %> <% } %>
...@@ -16,13 +16,13 @@ ...@@ -16,13 +16,13 @@
<% if(error) {%> <% if(error) {%>
<div id="upload_error" class="message message-status error is-shown" name="upload_error"> <div id="upload_error" class="message message-status error is-shown" name="upload_error">
<p><%= error.message %></p> <p><%- error.message %></p>
</div> </div>
<% } %> <% } %>
<% if(finished) { %> <% if(finished) { %>
<div id="upload_confirm" class="message message-status confirm success is-shown" name="upload_confirm"> <div id="upload_confirm" class="message message-status confirm success is-shown" name="upload_confirm">
<p><%= gettext("File upload succeeded") %></p> <p><%- gettext("File upload succeeded") %></p>
</div> </div>
<% } %> <% } %>
......
cms/templates/login.html
<%page expression_filter="h"/>
<%inherit file="base.html" /> <%inherit file="base.html" />
<%def name="online_help_token()"><% return "login" %></%def> <%def name="online_help_token()"><% return "login" %></%def>
<%! <%!
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from openedx.core.djangolib.js_utils import js_escaped_string
%> %>
<%block name="title">${_("Sign In")}</%block> <%block name="title">${_("Sign In")}</%block>
<%block name="bodyclass">not-signedin view-signin</%block> <%block name="bodyclass">not-signedin view-signin</%block>
...@@ -51,6 +53,6 @@ from django.utils.translation import ugettext as _ ...@@ -51,6 +53,6 @@ from django.utils.translation import ugettext as _
<%block name="requirejs"> <%block name="requirejs">
require(["js/factories/login"], function(LoginFactory) { require(["js/factories/login"], function(LoginFactory) {
LoginFactory("${reverse('homepage')}"); LoginFactory("${reverse('homepage') | n, js_escaped_string}");
}); });
</%block> </%block>
cms/templates/settings_advanced.html
<%page expression_filter="h"/>
<%inherit file="base.html" /> <%inherit file="base.html" />
<%def name="online_help_token()"><% return "advanced" %></%def> <%def name="online_help_token()"><% return "advanced" %></%def>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
...@@ -7,6 +8,7 @@ ...@@ -7,6 +8,7 @@
from openedx.core.djangolib.js_utils import ( from openedx.core.djangolib.js_utils import (
dump_js_escaped_json, js_escaped_string dump_js_escaped_json, js_escaped_string
) )
from openedx.core.djangolib.markup import HTML, Text
%> %>
<%block name="title">${_("Advanced Settings")}</%block> <%block name="title">${_("Advanced Settings")}</%block>
<%block name="bodyclass">is-signedin course advanced view-settings</%block> <%block name="bodyclass">is-signedin course advanced view-settings</%block>
...@@ -57,7 +59,10 @@ ...@@ -57,7 +59,10 @@
</header> </header>
<p class="instructions">${_("<strong>Warning</strong>: Do not modify these policies unless you are familiar with their purpose.")}</p> <p class="instructions">${Text(_("{strong_start}Warning{strong_end}: Do not modify these policies unless you are familiar with their purpose.")).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
<div class="wrapper-options"> <div class="wrapper-options">
<div class="wrapper-deprecated-setting"> <div class="wrapper-deprecated-setting">
...@@ -80,7 +85,10 @@ ...@@ -80,7 +85,10 @@
<p>${_("Any policies you modify here override all other information you've defined elsewhere in {studio_name}. Do not edit policies unless you are familiar with both their purpose and syntax.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p> <p>${_("Any policies you modify here override all other information you've defined elsewhere in {studio_name}. Do not edit policies unless you are familiar with both their purpose and syntax.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p>
<p>${_("{em_start}Note:{em_end} When you enter strings as policy values, ensure that you use double quotation marks (&quot;) around the string. Do not use single quotation marks (&apos;).").format(em_start='<strong>', em_end="</strong>")}</p> <p>${Text(_('{em_start}Note:{em_end} When you enter strings as policy values, ensure that you use double quotation marks (\") around the string. Do not use single quotation marks (\').')).format(
em_start=HTML('<strong>'),
em_end=HTML('</strong>')
)}</p>
</div> </div>
<div class="bit"> <div class="bit">
...@@ -93,7 +101,7 @@ ...@@ -93,7 +101,7 @@
<h3 class="title-3">${_("Other Course Settings")}</h3> <h3 class="title-3">${_("Other Course Settings")}</h3>
<nav class="nav-related" aria-label="${_('Other Course Settings')}"> <nav class="nav-related" aria-label="${_('Other Course Settings')}">
<ul> <ul>
<li class="nav-item"><a href="${details_url}">${_("Details &amp; Schedule")}</a></li> <li class="nav-item"><a href="${details_url}">${_("Details & Schedule")}</a></li>
<li class="nav-item"><a href="${grading_url}">${_("Grading")}</a></li> <li class="nav-item"><a href="${grading_url}">${_("Grading")}</a></li>
<li class="nav-item"><a href="${course_team_url}">${_("Course Team")}</a></li> <li class="nav-item"><a href="${course_team_url}">${_("Course Team")}</a></li>
<li class="nav-item"><a href="${utils.reverse_course_url('group_configurations_list_handler', context_course.id)}">${_("Group Configurations")}</a></li> <li class="nav-item"><a href="${utils.reverse_course_url('group_configurations_list_handler', context_course.id)}">${_("Group Configurations")}</a></li>
......
cms/templates/widgets/header.html
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
<div class="wrapper wrapper-l"> <div class="wrapper wrapper-l">
<h1 class="branding"><a href="/"> <h1 class="branding"><a href="/">
<img src="${static.url("images/studio-logo.png")}" alt="${settings.STUDIO_NAME}" /> <img src="${static.url('images/studio-logo.png')}" alt="${settings.STUDIO_NAME}" />
</a></h1> </a></h1>
% if context_course: % if context_course:
...@@ -218,7 +218,7 @@ ...@@ -218,7 +218,7 @@
<h2 class="sr">${_("Account Navigation")}</h2> <h2 class="sr">${_("Account Navigation")}</h2>
<ol> <ol>
<li class="nav-item nav-account-help"> <li class="nav-item nav-account-help">
<h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_("Contextual Online Help")}" target="_blank">${_("Help")}</a></span></h3> <h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a></span></h3>
</li> </li>
<li class="nav-item nav-account-user"> <li class="nav-item nav-account-user">
<h3 class="title"><span class="label"><span class="label-prefix sr">${_("Currently signed in as:")}</span><span class="account-username" title="${ user.username }">${ user.username }</span></span> <i class="icon fa fa-caret-down ui-toggle-dd"></i></h3> <h3 class="title"><span class="label"><span class="label-prefix sr">${_("Currently signed in as:")}</span><span class="account-username" title="${ user.username }">${ user.username }</span></span> <i class="icon fa fa-caret-down ui-toggle-dd"></i></h3>
...@@ -244,7 +244,7 @@ ...@@ -244,7 +244,7 @@
<h2 class="sr">${_("Account Navigation")}</h2> <h2 class="sr">${_("Account Navigation")}</h2>
<ol> <ol>
<li class="nav-item nav-not-signedin-help"> <li class="nav-item nav-not-signedin-help">
<a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_("Contextual Online Help")}" target="_blank">${_("Help")}</a> <a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a>
</li> </li>
<li class="nav-item nav-not-signedin-signup"> <li class="nav-item nav-not-signedin-signup">
<a class="action action-signup" href="${reverse('signup')}">${_("Sign Up")}</a> <a class="action action-signup" href="${reverse('signup')}">${_("Sign Up")}</a>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment