Fix XSS vulnerability in User Profile.

TNL-2248

Fix XSS vulnerability in User Profile.
TNL-2248
09e1f9ed · Daniel Friedman · 2ba5d483 · 09e1f9ed · 09e1f9ed · 09e1f9ed
Commit 09e1f9ed authored May 21, 2015 by Daniel Friedman
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 2 deletions

lms/templates/student_profile/learner_profile.html
+2 -2

openedx/core/lib/json_utils.py
+22 -0

openedx/core/lib/tests/test_json_utils.py
+18 -0

No files found.
--- a/lms/templates/student_profile/learner_profile.html
+++ b/lms/templates/student_profile/learner_profile.html
 <%! import json %>
 <%! from django.core.urlresolvers import reverse %>
 <%! from django.utils.translation import ugettext as _ %>
-<%! from xmodule.modulestore import EdxJSONEncoder %>
+<%! from openedx.core.lib.json_utils import EscapedEdxJSONEncoder %>

 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
@@ -39,7 +39,7 @@
    <script>
          (function (require) {
            require(['js/student_profile/views/learner_profile_factory'], function(setupLearnerProfile) {
-                var options = ${ json.dumps(data, cls=EdxJSONEncoder) };
+                var options = ${ json.dumps(data, cls=EscapedEdxJSONEncoder) };
                setupLearnerProfile(options);
            });
          }).call(this, require || RequireJS.require);

--- a/openedx/core/lib/json_utils.py
+++ b/openedx/core/lib/json_utils.py
+"""
+Utilities for dealing with JSON.
+"""
+import simplejson
+
+
+from xmodule.modulestore import EdxJSONEncoder
+
+
+class EscapedEdxJSONEncoder(EdxJSONEncoder):
+    """
+    Class for encoding edx JSON which will be printed inline into HTML
+    templates.
+    """
+    def encode(self, obj):
+        """
+        Encodes JSON that is safe to be embedded in HTML.
+        """
+        return simplejson.dumps(
+            simplejson.loads(super(EscapedEdxJSONEncoder, self).encode(obj)),
+            cls=simplejson.JSONEncoderForHTML
+        )
--- a/openedx/core/lib/tests/test_json_utils.py
+++ b/openedx/core/lib/tests/test_json_utils.py
+"""
+Tests for json_utils.py
+"""
+import json
+from unittest import TestCase
+
+from openedx.core.lib.json_utils import EscapedEdxJSONEncoder
+
+
+class TestEscapedEdxJSONEncoder(TestCase):
+    """Test the EscapedEdxJSONEncoder class."""
+    def test_escapes_forward_slashes(self):
+        """Verify that we escape forward slashes with backslashes."""
+        malicious_json = {'</script><script>alert("hello, ");</script>': '</script><script>alert("world!");</script>'}
+        self.assertNotIn(
+            '</script>',
+            json.dumps(malicious_json, cls=EscapedEdxJSONEncoder)
+        )