Skip to content

E
edx-platform
Commit 0c604da9 by Nimisha Asthagiri
Options

Merge pull request #11900 from edx/nasthagiri/css-template 

XSS Safe by default: dashboard, header, footer, navigation, help_modal
parents 1bfb4147 5f8330ff
Showing with 107 additions and 63 deletions
cms/templates/widgets/header.html
<%page expression_filter="h"/>
<%namespace name='static' file='../static_content.html'/>
<%!
from django.conf import settings
......@@ -36,8 +37,8 @@
<h2 class="info-course">
<span class="sr">${_("Current Course:")}</span>
<a class="course-link" href="${index_url}">
<span class="course-org">${context_course.display_org_with_default | h}</span><span class="course-number">${context_course.display_number_with_default | h}</span>
<span class="course-title" title="${context_course.display_name_with_default_escaped}">${context_course.display_name_with_default_escaped}</span>
<span class="course-org">${context_course.display_org_with_default}</span><span class="course-number">${context_course.display_number_with_default}</span>
<span class="course-title" title="${context_course.display_name_with_default}">${context_course.display_name_with_default}</span>
</a>
</h2>
......@@ -139,8 +140,8 @@
<h2 class="info-course">
<span class="sr">${_("Current Library:")}</span>
<a class="course-link" href="${index_url}">
<span class="course-org">${context_library.display_org_with_default | h}</span><span class="course-number">${context_library.display_number_with_default | h}</span>
<span class="course-title" title="${context_library.display_name_with_default_escaped}">${context_library.display_name_with_default_escaped}</span>
<span class="course-org">${context_library.display_org_with_default}</span><span class="course-number">${context_library.display_number_with_default}</span>
<span class="course-title" title="${context_library.display_name_with_default}">${context_library.display_name_with_default}</span>
</a>
</h2>
......
common/djangoapps/student/tests/tests.py
......@@ -249,11 +249,14 @@ class DashboardTest(ModuleStoreTestCase):
Test that the certificate verification status for courses is visible on the dashboard.
"""
self.client.login(username="jack", password="test")
self._check_verification_status_on('verified', 'You\'re enrolled as a verified student')
self._check_verification_status_on('honor', 'You\'re enrolled as an honor code student')
self._check_verification_status_on('verified', 'You&#39;re enrolled as a verified student')
self._check_verification_status_on('honor', 'You&#39;re enrolled as an honor code student')
self._check_verification_status_off('audit', '')
self._check_verification_status_on('professional', 'You\'re enrolled as a professional education student')
self._check_verification_status_on('no-id-professional', 'You\'re enrolled as a professional education student')
self._check_verification_status_on('professional', 'You&#39;re enrolled as a professional education student')
self._check_verification_status_on(
'no-id-professional',
'You&#39;re enrolled as a professional education student',
)
@unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms')
def _check_verification_status_off(self, mode, value):
......
lms/templates/dashboard.html
<%page expression_filter="h"/>
<%inherit file="main.html" />
<%namespace name='static' file='static_content.html'/>
<%!
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _
from django.template import RequestContext
import third_party_auth
from third_party_auth import pipeline
from django.core.urlresolvers import reverse
import json
from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
%>
<%
......@@ -39,9 +40,9 @@ import json
<script type="text/javascript">
$(document).ready(function() {
edx.dashboard.legacy.init({
dashboard: "${reverse('dashboard')}",
signInUser: "${reverse('signin_user')}",
changeEmailSettings: "${reverse('change_email_settings')}"
dashboard: "${reverse('dashboard') | n, js_escaped_string}",
signInUser: "${reverse('signin_user') | n, js_escaped_string}",
changeEmailSettings: "${reverse('change_email_settings') | n, js_escaped_string}"
});
});
</script>
......@@ -54,7 +55,7 @@ import json
<%static:require_module module_name="js/views/message_banner" class_name="MessageBannerView">
var banner = new MessageBannerView({urgency: 'low', type: 'warning'});
$('#content').prepend(banner.$el);
banner.showMessage(${json.dumps(redirect_message)})
banner.showMessage(${redirect_message | n, dump_js_escaped_json})
</%static:require_module>
% endif
</%block>
......@@ -117,7 +118,7 @@ import json
<h2>${_("Course-loading errors")}</h2>
% for course_dir, errors in errored_courses.items():
<h3>${course_dir | h}</h3>
<h3>${course_dir}</h3>
<ul>
% for (msg, err) in errors:
<li>${msg}
......
lms/templates/dashboard/_dashboard_status_verification.html
<%page expression_filter="h"/>
<%namespace name='static' file='../static_content.html'/>
<%!
from django.utils.translation import ugettext as _
......
lms/templates/footer.html
## mako
<%page expression_filter="h"/>
<%!
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _
......
lms/templates/header.html
## mako
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/>
<%include file="${static.get_themed_template_path(relative_path='theme-header.html', default_path='navigation.html')}" />
lms/templates/help_modal.html
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/>
<%!
......@@ -6,6 +7,8 @@ import pytz
from django.conf import settings
from django.utils.translation import ugettext as _
from django.core.urlresolvers import reverse
from openedx.core.djangolib.js_utils import js_escaped_string
from openedx.core.djangolib.markup import Text, HTML
from xmodule.tabs import CourseTabList
%>
......@@ -28,8 +31,8 @@ from xmodule.tabs import CourseTabList
<header>
<h2>
${_('{platform_name} Help').format(
platform_name=u'<span class="edx">{}</span>'.format(static.get_platform_name())
${Text(_('{platform_name} Help')).format(
platform_name=HTML(u'<span class="edx">{}</span>').format(static.get_platform_name())
)}
</h2>
<hr>
......@@ -41,22 +44,30 @@ from xmodule.tabs import CourseTabList
%>
% if discussion_link:
<p>${_('For <strong>questions on course lectures, homework, tools, or materials for this course</strong>, post in the {link_start}course discussion forum{link_end}.').format(
link_start='<a href="{url}" target="_blank">'.format(url=discussion_link),
link_end='</a>',
<p>${Text(_('For {strong_start}questions on course lectures, homework, tools, or materials for this course{strong_end}, post in the {link_start}course discussion forum{link_end}.')).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>'),
link_start=HTML('<a href="{url}" target="_blank">').format(
url=discussion_link
),
link_end=HTML('</a>'),
)}
</p>
% endif
<p>${_('Have <strong>general questions about {platform_name}</strong>? You can find lots of helpful information in the {platform_name} {link_start}FAQ{link_end}.').format(
link_start='<a href="{url}" target="_blank">'.format(
<p>${Text(_('Have {strong_start}general questions about {platform_name}{strong_end}? You can find lots of helpful information in the {platform_name} {link_start}FAQ{link_end}.')).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>'),
link_start=HTML('<a href="{url}" target="_blank">').format(
url=marketing_link('FAQ')
),
link_end='</a>',
link_end=HTML('</a>'),
platform_name=static.get_platform_name())}
</p>
<p>${_('Have a <strong>question about something specific</strong>? You can contact the {platform_name} general support team directly:').format(
<p>${Text(_('Have a {strong_start}question about something specific{strong_end}? You can contact the {platform_name} general support team directly:')).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>'),
platform_name=static.get_platform_name()
)}</p>
<hr>
......@@ -99,7 +110,7 @@ from xmodule.tabs import CourseTabList
<textarea name="details" id="feedback_form_details" aria-required="true"></textarea>
<input name="issue_type" type="hidden">
% if course:
<input name="course_id" type="hidden" value="${course.id.to_deprecated_string() | h}">
<input name="course_id" type="hidden" value="${unicode(course.id)}">
% endif
<div class="submit">
<input name="submit" type="submit" value="${_('Submit')}" id="feedback_submit">
......@@ -131,16 +142,16 @@ from xmodule.tabs import CourseTabList
close_time = "22:00"
%>
<p>
${_(
${Text(_(
'Thank you for your inquiry or feedback. We typically respond to a request '
'within one business day (Monday to Friday, {open_time} UTC to {close_time} UTC.) In the meantime, please '
'review our {link_start}detailed FAQs{link_end} where most questions have '
'already been answered.'
).format(
)).format(
open_time=open_time,
close_time=close_time,
link_start='<a href="{}" target="_blank" id="feedback-faq-link" tabindex="0">'.format(marketing_link('FAQ')),
link_end='</a>'
link_start=HTML('<a href="{}" target="_blank" id="feedback-faq-link" tabindex="0">').format(marketing_link('FAQ')),
link_end=HTML('</a>')
)}
</p>
</div>
......@@ -201,29 +212,32 @@ from xmodule.tabs import CourseTabList
$("#feedback_link_problem").click(function(event) {
showFeedback(
event,
"${_('problem')}",
"${_('Report a Problem')}",
"${_('Brief description of the problem')}" + "*",
"${_('Details of the problem you are encountering')}" + "*" + "<span class='tip'>" +
"${_('Include error messages, steps which lead to the issue, etc.')}" + "</span>"
"${_('problem') | n, js_escaped_string}",
"${_('Report a Problem') | n, js_escaped_string}",
"${_('Brief description of the problem') + '*' | n, js_escaped_string}" ,
"${Text(_('Details of the problem you are encountering{asterisk}{begin_span}Include error messages, steps which lead to the issue, etc.{end_span}')).format(
asterisk='*',
begin_span=HTML('<span class=tip>'),
end_span=HTML('</span>'),
) | n, js_escaped_string}"
);
});
$("#feedback_link_suggestion").click(function(event) {
showFeedback(
event,
"${_('suggestion')}",
"${_('Make a Suggestion')}",
"${_('Brief description of your suggestion')}" + "*",
"${_('Details')}" + "*"
"${_('suggestion') | n, js_escaped_string}",
"${_('Make a Suggestion') | n, js_escaped_string}",
"${_('Brief description of your suggestion') + '*' | n, js_escaped_string}",
"${_('Details') + '*' | n, js_escaped_string}"
);
});
$("#feedback_link_question").click(function(event) {
showFeedback(
event,
"${_('question')}",
"${_('Ask a Question')}",
"${_('Brief summary of your question')}" + "*",
"${_('Details')}" + "*"
"${_('question') | n, js_escaped_string}",
"${_('Ask a Question') | n, js_escaped_string}",
"${_('Brief summary of your question') + '*' | n, js_escaped_string}",
"${_('Details') + '*' | n, js_escaped_string}"
);
});
$("#feedback_form").submit(function() {
......@@ -251,21 +265,21 @@ from xmodule.tabs import CourseTabList
$("#feedback_error").html(responseData.error).stop().css("display", "block");
} else {
// If no data (or malformed data) is returned, a server error occurred
htmlStr = "${_('An error has occurred.')}";
htmlStr = "${_('An error has occurred.') | n, js_escaped_string}";
% if settings.FEEDBACK_SUBMISSION_EMAIL:
htmlStr += " " + _.template(
"${_('Please {link_start}send us e-mail{link_end}.')}", {interpolate: /\{(.+?)\}/g})(
{link_start: '<a href="#" id="feedback_email">', link_end: '</a>'}
);
htmlStr += " " + "${Text(_('Please {link_start}send us e-mail{link_end}.')).format(
link_start=HTML('<a href="#" id="feedback_email">'),
link_end=HTML('</a>'),
) | n, js_escaped_string}";
% else:
// If no email is configured, we can't do much other than
// ask the user to try again later
htmlStr += " " + "${_('Please try again later.')}";
htmlStr += " " + "${_('Please try again later.') | n, js_escaped_string}";
% endif
$("#feedback_error").html(htmlStr).stop().css("display", "block");
% if settings.FEEDBACK_SUBMISSION_EMAIL:
$("#feedback_email").click(function(e) {
mailto = "mailto:" + "${settings.FEEDBACK_SUBMISSION_EMAIL}" +
mailto = "mailto:" + "${settings.FEEDBACK_SUBMISSION_EMAIL | n, js_escaped_string}" +
"?subject=" + $("#feedback_form input[name='subject']").val() +
"&body=" + $("#feedback_form textarea[name='details']").val();
window.open(mailto);
......
lms/templates/navigation-edx.html
## mako
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/>
<%namespace file='main.html' import="login_query"/>
<%!
......@@ -48,9 +49,9 @@ site_status_msg = get_site_status_msg(course_id)
% if course and not disable_courseware_header:
<h2 class="course-header">
<span class="provider">${course.display_org_with_default | h}:</span>
<span class="course-number">${course.display_number_with_default | h}</span>
<span class="course-name">${course.display_name_with_default_escaped}</span>
<span class="provider">${course.display_org_with_default}:</span>
<span class="course-number">${course.display_number_with_default}</span>
<span class="course-name">${course.display_name_with_default}</span>
</h2>
% endif
......@@ -140,7 +141,15 @@ site_status_msg = get_site_status_msg(course_id)
</header>
% if course:
<!--[if lte IE 9]>
<div class="ie-banner" aria-hidden="true">${_('<strong>Warning:</strong> Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.').format(chrome_link='<a href="https://www.google.com/chrome" target="_blank">Chrome</a>', ff_link='<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>')}</div>
<div class="ie-banner" aria-hidden="true">
${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
begin_strong=HTML('<strong>'),
end_strong=HTML('</strong>'),
chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
)
}
</div>
<![endif]-->
% endif
......
lms/templates/navigation.html
## mako
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/>
<%namespace file='main.html' import="login_query"/>
<%!
......@@ -8,6 +9,7 @@ from django.utils.translation import ugettext as _
from lms.djangoapps.ccx.overrides import get_current_ccx
from microsite_configuration import microsite
from microsite_configuration.templatetags.microsite import platform_name
from openedx.core.djangolib.markup import Text, HTML
from openedx.core.djangoapps.user_api.accounts.image_helpers import get_profile_image_urls_for_user
# App that handles subdomain specific branding
......@@ -48,10 +50,10 @@ site_status_msg = get_site_status_msg(course_id)
</h1>
% if course:
<h2 class="course-header"><span class="provider">${course.display_org_with_default | h}:</span>
<span class="course-number">${course.display_number_with_default | h}</span>
<h2 class="course-header"><span class="provider">${course.display_org_with_default}:</span>
<span class="course-number">${course.display_number_with_default}</span>
<%
display_name = course.display_name_with_default_escaped
display_name = course.display_name_with_default
if settings.FEATURES.get('CUSTOM_COURSES_EDX', False):
ccx = get_current_ccx(course.id)
if ccx:
......@@ -194,7 +196,15 @@ site_status_msg = get_site_status_msg(course_id)
</header>
% if course:
<!--[if lte IE 9]>
<div class="ie-banner" aria-hidden="true">${_('<strong>Warning:</strong> Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.').format(chrome_link='<a href="https://www.google.com/chrome" target="_blank">Chrome</a>', ff_link='<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>')}</div>
<div class="ie-banner" aria-hidden="true">
${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
begin_strong=HTML('<strong>'),
end_strong=HTML('</strong>'),
chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
)
}
</div>
<![endif]-->
% endif
......
lms/templates/vert_module.html
<%page expression_filter="h"/>
% if show_bookmark_button:
<%include file='bookmark_button.html' args="bookmark_id=bookmark_id, is_bookmarked=bookmarked"/>
......@@ -6,7 +7,7 @@
<div class="vert-mod">
% for idx, item in enumerate(items):
<div class="vert vert-${idx}" data-id="${item['id']}">
${item['content']}
${item['content'] | n, unicode}
</div>
% endfor
</div>
themes/edx.org/lms/templates/dashboard.html
<%page expression_filter="h"/>
<%inherit file="main.html" />
<%namespace name='static' file='static_content.html'/>
<%!
......@@ -8,6 +9,7 @@ from third_party_auth import pipeline
from microsite_configuration import microsite
from django.core.urlresolvers import reverse
import json
from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
%>
<%
......@@ -40,9 +42,9 @@ import json
<script type="text/javascript">
$(document).ready(function() {
edx.dashboard.legacy.init({
dashboard: "${reverse('dashboard')}",
signInUser: "${reverse('signin_user')}",
changeEmailSettings: "${reverse('change_email_settings')}"
dashboard: "${reverse('dashboard') | n, js_escaped_string}",
signInUser: "${reverse('signin_user') | n, js_escaped_string}",
changeEmailSettings: "${reverse('change_email_settings') | n, js_escaped_string}"
});
});
</script>
......@@ -55,7 +57,7 @@ import json
<%static:require_module module_name="js/views/message_banner" class_name="MessageBannerView">
var banner = new MessageBannerView({urgency: 'low', type: 'warning'});
$('#content').prepend(banner.$el);
banner.showMessage(${json.dumps(redirect_message)})
banner.showMessage(${redirect_message | n, dump_js_escaped_json})
</%static:require_module>
% endif
</%block>
......@@ -118,7 +120,7 @@ import json
<h2>${_("Course-loading errors")}</h2>
% for course_dir, errors in errored_courses.items():
<h3>${course_dir | h}</h3>
<h3>${course_dir}</h3>
<ul>
% for (msg, err) in errors:
<li>${msg}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment