Skip to content

E
edx-platform
Commit 005bee8f by Mushtaq Ali
Options

Make templates safer

parent 4f71e263
Showing with 72 additions and 33 deletions
cms/templates/export.html
<%page expression_filter="h"/>
<%inherit file="base.html" />
<%def name="online_help_token()">
<%
......@@ -11,6 +12,7 @@ else:
<%!
from django.utils.translation import ugettext as _
from openedx.core.djangolib.markup import HTML, Text
from openedx.core.djangolib.js_utils import (
dump_js_escaped_json, js_escaped_string
)
......@@ -73,7 +75,10 @@ else:
<p>${_("You can export courses and edit them outside of {studio_name}. The exported file is a .tar.gz file (that is, a .tar file compressed with GNU Zip) that contains the course structure and content. You can also re-import courses that you've exported.").format(
studio_name=settings.STUDIO_SHORT_NAME
)}</p>
<p>${_("{em_start}Caution:{em_end} When you export a course, information such as MATLAB API keys, LTI passports, annotation secret token strings, and annotation storage URLs are included in the exported data. If you share your exported files, you may also be sharing sensitive or license-specific information.").format(em_start='<strong>', em_end="</strong>")}</p>
<p>${Text(_("{em_start}Caution:{em_end} When you export a course, information such as MATLAB API keys, LTI passports, annotation secret token strings, and annotation storage URLs are included in the exported data. If you share your exported files, you may also be sharing sensitive or license-specific information.")).format(
em_start=HTML('<strong>'),
em_end=HTML("</strong>")
)}</p>
</div>
%endif
</div>
......@@ -103,7 +108,11 @@ else:
%if not library:
<div class="export-contents">
<div class="export-includes">
<h3 class="title-3">${_("Data {em_start}exported with{em_end} your course:").format(em_start='<strong>', em_end="</strong>")}</h3>
<h3 class="title-3">
${Text(_("Data {em_start}exported with{em_end} your course:")).format(
em_start=HTML('<strong>'),
em_end=HTML("</strong>")
)}</h3>
<ul class="list-details list-export-includes">
<li class="item-detail">${_("Values from Advanced Settings, including MATLAB API keys and LTI passports")}</li>
<li class="item-detail">${_("Course Content (all Sections, Sub-sections, and Units)")}</li>
......@@ -116,7 +125,11 @@ else:
</div>
<div class="export-excludes">
<h3 class="title-3">${_("Data {em_start}not exported{em_end} with your course:").format(em_start='<strong>', em_end="</strong>")}</h3>
<h3 class="title-3">
${Text(_("Data {em_start}not exported{em_end} with your course:")).format(
em_start=HTML('<strong>'),
em_end=HTML("</strong>")
)}</h3>
<ul class="list-details list-export-excludes">
<li class="item-detail">${_("User Data")}</li>
<li class="item-detail">${_("Course Team Data")}</li>
......
cms/templates/export_git.html
<%page expression_filter="h"/>
<%inherit file="base.html" />
<%namespace name='static' file='static_content.html'/>
......@@ -38,7 +39,7 @@
% else:
<ul class="list-actions">
<li class="item-action">
<a class="action action-export-git"" action-primary" href="${reverse('export_git', kwargs=dict(course_key_string=unicode(context_course.id)))}?action=push">
<a class="action action-export-git action-primary" href="${reverse('export_git', kwargs=dict(course_key_string=unicode(context_course.id)))}?action=push">
<i class="icon fa fa-arrow-circle-o-down"></i>
<span class="copy">${_("Export to Git")}</span>
</a>
......@@ -53,14 +54,14 @@
% else:
<h3>${_('Export Succeeded')}:</h3>
% endif
<pre>${msg|h}</pre>
<pre>${msg}</pre>
% endif
</div>
</article>
<aside class="content-supplementary" role="complementary">
<dl class="export-git-info-block">
<dt>${_("Your course:")}</dt>
<dd class="course_text">${context_course.id | h}</dd>
<dd class="course_text">${context_course.id}</dd>
<dt>${_("Course git url:")}</dt>
<dd class="giturl_text">${context_course.giturl}</dd>
</dl>
......
cms/templates/howitworks.html
<%page expression_filter="h"/>
<%inherit file="base.html" />
<%def name="online_help_token()"><% return "welcome" %></%def>
<%namespace name='static' file='static_content.html'/>
<%!
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _
from openedx.core.djangolib.markup import HTML, Text
%>
<%block name="title">${_("Welcome")}</%block>
......@@ -15,10 +17,8 @@
<section class="content content-header">
<header>
<h1><span class="wrapper-text-welcome">${_("Welcome to {studio_name}").format(
studio_name=u'</span><span class="logo">{studio_name}</span>'.format(
studio_name=settings.STUDIO_NAME
)
)}</h1>
)}</span></h1>
<p class="tagline">${_("{studio_name} helps manage your online courses, so you can focus on teaching them").format(
studio_name=settings.STUDIO_SHORT_NAME
)}</p>
......@@ -46,12 +46,20 @@
<div class="copy">
<h3>${_("Keeping Your Course Organized")}</h3>
<p>${_("The backbone of your course is how it is organized. {studio_name} offers an <strong>Outline</strong> editor, providing a simple hierarchy and easy drag and drop to help you and your students stay organized.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p>
<p>${Text(_("The backbone of your course is how it is organized. {studio_name} offers an {strong_start}Outline{strong_end} editor, providing a simple hierarchy and easy drag and drop to help you and your students stay organized.")).format(
studio_name=settings.STUDIO_SHORT_NAME,
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
<ul class="list-proofpoints">
<li class="proofpoint">
<h4 class="title">${_("Simple Organization For Content")}</h4>
<p>${_("{studio_name} uses a simple hierarchy of <strong>sections</strong> and <strong>subsections</strong> to organize your content.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p>
<p>${Text(_("{studio_name} uses a simple hierarchy of {strong_start}sections{strong_end} and {strong_start}subsections{strong_end} to organize your content.")).format(
studio_name=settings.STUDIO_SHORT_NAME,
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
</li>
<li class="proofpoint">
......@@ -61,7 +69,10 @@
<li class="proofpoint">
<h4 class="title">${_("Go A Week Or A Semester At A Time")}</h4>
<p>${_("Build and release <strong>sections</strong> to your students incrementally. You don't have to have it all done at once.")}</p>
<p>${Text(_("Build and release {strong_start}sections{strong_end} to your students incrementally. You don't have to have it all done at once.")).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
</li>
</ul>
</div>
......@@ -124,7 +135,11 @@
<li class="proofpoint">
<h4 class="title">${_("Release-On Date Publishing")}</h4>
<p>${_("When you've finished a <strong>section</strong>, pick when you want it to go live and {studio_name} takes care of the rest. Build your course incrementally.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p>
<p>${Text(_("When you've finished a {strong_start}section{strong_end}, pick when you want it to go live and {studio_name} takes care of the rest. Build your course incrementally.")).format(
studio_name=settings.STUDIO_SHORT_NAME,
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
</li>
<li class="proofpoint">
......@@ -146,7 +161,7 @@
<ul class="list-actions">
<li class="action-item">
<a href="${reverse('signup')}" class="action action-primary">${_("Sign Up &amp; Start Making an {platform_name} Course").format(platform_name=settings.PLATFORM_NAME)}</a>
<a href="${reverse('signup')}" class="action action-primary">${_("Sign Up & Start Making Your {platform_name} Course").format(platform_name=settings.PLATFORM_NAME)}</a>
</li>
<li class="action-item">
<a href="${reverse('login')}" class="action action-secondary">${_("Already have a {studio_name} Account? Sign In").format(studio_name=settings.STUDIO_SHORT_NAME)}</a>
......@@ -159,7 +174,7 @@
<h3 class="title">${_("Outlining Your Course")}</h3>
<figure>
<img src="${static.url("images/hiw-feature1.png")}" alt="" />
<figcaption class="description">${_("Simple two-level outline to organize your couse. Drag and drop, and see your course at a glance.")}</figcaption>
<figcaption class="description">${_("Simple two-level outline to organize your course. Drag and drop, and see your course at a glance.")}</figcaption>
</figure>
<a href="" rel="view" class="action action-modal-close">
......
cms/templates/js/basic-modal.underscore
<div class="wrapper wrapper-modal-window wrapper-modal-window-<%= name %>"
<div class="wrapper wrapper-modal-window wrapper-modal-window-<%- name %>"
aria-labelledby="modal-window-title"
role="dialog">
<div class="modal-window-overlay"></div>
<div class="modal-window <%= viewSpecificClasses %> modal-<%= size %> modal-type-<%= type %>" tabindex="-1" aria-labelledby="modal-window-title">
<div class="<%= name %>-modal">
<div class="modal-window <%- viewSpecificClasses %> modal-<%- size %> modal-type-<%- type %>" tabindex="-1" aria-labelledby="modal-window-title">
<div class="<%- name %>-modal">
<div class="modal-header">
<h2 id="modal-window-title" class="title modal-window-title"><%= title %></h2>
<h2 id="modal-window-title" class="title modal-window-title"><%- title %></h2>
<ul class="editor-modes action-list action-modes">
</ul>
</div>
<div class="modal-content">
</div>
<div class="modal-actions">
<h3 class="sr"><%= gettext("Actions") %></h3>
<h3 class="sr"><%- gettext("Actions") %></h3>
<ul></ul>
</div>
</div>
......
cms/templates/js/modal-button.underscore
<li class="action-item">
<a href="#" class="button <%= isPrimary ? 'action-primary' : '' %> action-<%= type %>"><%= name %></a>
<a href="#" class="button <%- isPrimary ? 'action-primary' : '' %> action-<%- type %>"><%- name %></a>
</li>
cms/templates/js/upload-dialog.underscore
<form class="upload-dialog" method="POST" action="<%= url %>" enctype="multipart/form-data">
<p id="dialog-assetupload-description" class="message"><%= message %></p>
<form class="upload-dialog" method="POST" action="<%- url %>" enctype="multipart/form-data">
<p id="dialog-assetupload-description" class="message"><%- message %></p>
<input type="file" name="file" <% if(error && error.attributes && error.attributes.selectedFile) {%>class="error"<% } %> />
<div class="status-upload">
......@@ -7,7 +7,7 @@
<% if(uploading) { %>
<div class="wrapper-progress">
<% if (uploadedBytes && totalBytes) { %>
<progress value="<%= uploadedBytes %>" max="<%= totalBytes %>"><%= uploadedBytes/totalBytes*100 %>%</progress>
<progress value="<%- uploadedBytes %>" max="<%- totalBytes %>"><%- uploadedBytes/totalBytes*100 %>%</progress>
<% } else { %>
<progress></progress>
<% } %>
......@@ -16,13 +16,13 @@
<% if(error) {%>
<div id="upload_error" class="message message-status error is-shown" name="upload_error">
<p><%= error.message %></p>
<p><%- error.message %></p>
</div>
<% } %>
<% if(finished) { %>
<div id="upload_confirm" class="message message-status confirm success is-shown" name="upload_confirm">
<p><%= gettext("File upload succeeded") %></p>
<p><%- gettext("File upload succeeded") %></p>
</div>
<% } %>
......
cms/templates/login.html
<%page expression_filter="h"/>
<%inherit file="base.html" />
<%def name="online_help_token()"><% return "login" %></%def>
<%!
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _
from openedx.core.djangolib.js_utils import js_escaped_string
%>
<%block name="title">${_("Sign In")}</%block>
<%block name="bodyclass">not-signedin view-signin</%block>
......@@ -51,6 +53,6 @@ from django.utils.translation import ugettext as _
<%block name="requirejs">
require(["js/factories/login"], function(LoginFactory) {
LoginFactory("${reverse('homepage')}");
LoginFactory("${reverse('homepage') | n, js_escaped_string}");
});
</%block>
cms/templates/settings_advanced.html
<%page expression_filter="h"/>
<%inherit file="base.html" />
<%def name="online_help_token()"><% return "advanced" %></%def>
<%namespace name='static' file='static_content.html'/>
......@@ -7,6 +8,7 @@
from openedx.core.djangolib.js_utils import (
dump_js_escaped_json, js_escaped_string
)
from openedx.core.djangolib.markup import HTML, Text
%>
<%block name="title">${_("Advanced Settings")}</%block>
<%block name="bodyclass">is-signedin course advanced view-settings</%block>
......@@ -57,7 +59,10 @@
</header>
<p class="instructions">${_("<strong>Warning</strong>: Do not modify these policies unless you are familiar with their purpose.")}</p>
<p class="instructions">${Text(_("{strong_start}Warning{strong_end}: Do not modify these policies unless you are familiar with their purpose.")).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>')
)}</p>
<div class="wrapper-options">
<div class="wrapper-deprecated-setting">
......@@ -80,7 +85,10 @@
<p>${_("Any policies you modify here override all other information you've defined elsewhere in {studio_name}. Do not edit policies unless you are familiar with both their purpose and syntax.").format(studio_name=settings.STUDIO_SHORT_NAME)}</p>
<p>${_("{em_start}Note:{em_end} When you enter strings as policy values, ensure that you use double quotation marks (&quot;) around the string. Do not use single quotation marks (&apos;).").format(em_start='<strong>', em_end="</strong>")}</p>
<p>${Text(_('{em_start}Note:{em_end} When you enter strings as policy values, ensure that you use double quotation marks (\") around the string. Do not use single quotation marks (\').')).format(
em_start=HTML('<strong>'),
em_end=HTML('</strong>')
)}</p>
</div>
<div class="bit">
......@@ -93,7 +101,7 @@
<h3 class="title-3">${_("Other Course Settings")}</h3>
<nav class="nav-related" aria-label="${_('Other Course Settings')}">
<ul>
<li class="nav-item"><a href="${details_url}">${_("Details &amp; Schedule")}</a></li>
<li class="nav-item"><a href="${details_url}">${_("Details & Schedule")}</a></li>
<li class="nav-item"><a href="${grading_url}">${_("Grading")}</a></li>
<li class="nav-item"><a href="${course_team_url}">${_("Course Team")}</a></li>
<li class="nav-item"><a href="${utils.reverse_course_url('group_configurations_list_handler', context_course.id)}">${_("Group Configurations")}</a></li>
......
cms/templates/widgets/header.html
......@@ -11,7 +11,7 @@
<div class="wrapper wrapper-l">
<h1 class="branding"><a href="/">
<img src="${static.url("images/studio-logo.png")}" alt="${settings.STUDIO_NAME}" />
<img src="${static.url('images/studio-logo.png')}" alt="${settings.STUDIO_NAME}" />
</a></h1>
% if context_course:
......@@ -218,7 +218,7 @@
<h2 class="sr">${_("Account Navigation")}</h2>
<ol>
<li class="nav-item nav-account-help">
<h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_("Contextual Online Help")}" target="_blank">${_("Help")}</a></span></h3>
<h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a></span></h3>
</li>
<li class="nav-item nav-account-user">
<h3 class="title"><span class="label"><span class="label-prefix sr">${_("Currently signed in as:")}</span><span class="account-username" title="${ user.username }">${ user.username }</span></span> <i class="icon fa fa-caret-down ui-toggle-dd"></i></h3>
......@@ -244,7 +244,7 @@
<h2 class="sr">${_("Account Navigation")}</h2>
<ol>
<li class="nav-item nav-not-signedin-help">
<a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_("Contextual Online Help")}" target="_blank">${_("Help")}</a>
<a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a>
</li>
<li class="nav-item nav-not-signedin-signup">
<a class="action action-signup" href="${reverse('signup')}">${_("Sign Up")}</a>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment