Safe templating changes for CCX.

13ef2b7d · John Eskew · 88aa4a90 · 13ef2b7d · 13ef2b7d · 13ef2b7d
Commit 13ef2b7d authored Mar 23, 2016 by John Eskew
7 changed files
--- a/lms/djangoapps/ccx/tests/test_views.py
+++ b/lms/djangoapps/ccx/tests/test_views.py
@@ -738,10 +738,7 @@ class TestCoachDashboard(CcxTestCase, LoginEnrollmentTestCase):
        # some error messages are returned for one of the views only
        if view_name == 'ccx_manage_student' and not is_email(identifier):
-            error_message = 'Could not find a user with name or email "{identifier}" '.format(
+            self.assertContains(response, 'Could not find a user with name or email ', status_code=200)
-                identifier=identifier
-            )
-            self.assertContains(response, error_message, status_code=200)
        if is_email(identifier):
            if send_email:

--- a/lms/templates/ccx/coach_dashboard.html
+++ b/lms/templates/ccx/coach_dashboard.html
+<%page expression_filter="h"/>
 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
+from openedx.core.djangolib.js_utils import (
+    dump_js_escaped_json, js_escaped_string
+)
 %>
 <%block name="pagetitle">${_("CCX Coach Dashboard")}</%block>
@@ -163,14 +167,14 @@ from django.core.urlresolvers import reverse
  function validateForm(form) {
    var newCCXName = $(form).find('#ccx_name').val();
    var $errorMessage =  $('#ccx-create-message');
-    var hasCcxConnector = ${has_ccx_connector};
+    var hasCcxConnector = ${has_ccx_connector | n, dump_js_escaped_json};
    if (!newCCXName && !hasCcxConnector) {
-      $errorMessage.text("${_('Please enter a valid CCX name.')}");
+      $errorMessage.text("${_('Please enter a valid CCX name.') | n, js_escaped_string}");
      $errorMessage.show();
      return false;
    } else if (hasCcxConnector) {
-      $errorMessage.html('${use_ccx_con_error_message}');
+      $errorMessage.html('${use_ccx_con_error_message | n, js_escaped_string}');
      $errorMessage.show();
      return false;
    }

--- a/lms/templates/ccx/enrollment.html
+++ b/lms/templates/ccx/enrollment.html
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>
 <div class="batch-enrollment" style="float:left;width:50%">
  <form method="POST" action="ccx_invite">
@@ -18,8 +22,16 @@
    <div class="hint auto-enroll-hint">
      <span class="hint-caret"></span>
      <p class="text-helper" id="auto-enroll-helper">
-	${_("If this option is <em>checked</em>, users who have not yet registered for {platform_name} will be automatically enrolled.").format(platform_name=settings.PLATFORM_NAME)}
+	${Text(_("If this option is {em_start}checked{em_end}, users who have not yet registered for {platform_name} will be automatically enrolled.")).format(
-	${_("If this option is left <em>unchecked</em>, users who have not yet registered for {platform_name} will not be enrolled, but will be allowed to enroll once they make an account.").format(platform_name=settings.PLATFORM_NAME)}
+        em_start=HTML('<em>'),
+        em_end=HTML('</em>'),
+        platform_name=settings.PLATFORM_NAME,
+    )}
+	${Text(_("If this option is left {em_start}unchecked{em_end}, users who have not yet registered for {platform_name} will not be enrolled, but will be allowed to enroll once they make an account.")).format(
+        em_start=HTML('<em>'),
+        em_end=HTML('</em>'),
+        platform_name=settings.PLATFORM_NAME,
+    )}
 	<br /><br />
 	${_("Checking this box has no effect if 'Unenroll' is selected.")}
      </p>
@@ -32,7 +44,10 @@
    <div class="hint email-students-hint">
      <span class="hint-caret"></span>
      <p class="text-helper" id="email-students-helper">
-	${_("If this option is <em>checked</em>, users will receive an email notification.")}
+	${Text(_("If this option is {em_start}checked{em_end}, users will receive an email notification.")).format(
+        em_start=HTML('<em>'),
+        em_end=HTML('</em>'),
+    )}
      </p>
    </div>
  </div>
@@ -90,8 +105,16 @@
            <div class="hint auto-enroll-hint">
              <span class="hint-caret"></span>
              <p class="text-helper" id="auto-enroll-helper">
-                ${_("If this option is <em>checked</em>, users who have not yet registered for {platform_name} will be automatically enrolled.").format(platform_name=settings.PLATFORM_NAME)}
+                ${Text(_("If this option is {em_start}checked{em_end}, users who have not yet registered for {platform_name} will be automatically enrolled.")).format(
-                ${_("If this option is left <em>unchecked</em>, users who have not yet registered for {platform_name} will not be enrolled, but will be allowed to enroll once they make an account.").format(platform_name=settings.PLATFORM_NAME)}
+                    em_start=HTML('<em>'),
+                    em_end=HTML('</em>'),
+                    platform_name=settings.PLATFORM_NAME,
+                )}
+                ${Text(_("If this option is left {em_start}unchecked{em_end}, users who have not yet registered for {platform_name} will not be enrolled, but will be allowed to enroll once they make an account.")).format(
+                    em_start=HTML('<em>'),
+                    em_end=HTML('</em>'),
+                    platform_name=settings.PLATFORM_NAME,
+                )}
                <br /><br />
                ${_("Checking this box has no effect if 'Revoke' is clicked.")}
              </p>
@@ -103,7 +126,10 @@
            <div class="hint email-students-hint">
              <span class="hint-caret"></span>
              <p class="text-helper" id="email-students-helper">
-                ${_("If this option is <em>checked</em>, users will receive an email notification.")}
+                ${Text(_("If this option is {em_start}checked{em_end}, users will receive an email notification.")).format(
+                    em_start=HTML('<em>'),
+                    em_end=HTML('</em>'),
+                )}
              </p>
            </div>
        </div>

--- a/lms/templates/ccx/grading_policy.html
+++ b/lms/templates/ccx/grading_policy.html
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <div id="warn-coach" class="wrapper-msg urgency-high warning">

--- a/lms/templates/ccx/schedule.html
+++ b/lms/templates/ccx/schedule.html
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import (
+    dump_js_escaped_json, js_escaped_string
+)
+%>
 <%namespace name='static' file='/static_content.html'/>
 <%block name="jsextra">
-  <script>  
+  <script>
-    var save_url = '${save_url}';
+    var save_url = '${save_url | n, js_escaped_string}';
-    var schedule = ${schedule};
+    var schedule = ${schedule | n, dump_js_escaped_json};
  </script>
-    <script src="${static.url('js/vendor/backbone-min.js')}"></script>
+  <script src="${static.url('js/vendor/backbone-min.js')}"></script>
  <script src="${static.url('js/vendor/timepicker/jquery.timepicker.js')}"></script>
  <link rel="stylesheet" type="text/css" href="${static.url('js/vendor/timepicker/jquery.timepicker.css')}" />
  <style>

--- a/lms/templates/ccx/schedule.underscore
+++ b/lms/templates/ccx/schedule.underscore
@@ -20,7 +20,7 @@
    </thead>
    <tbody>
      <% _.each(chapters, function(chapter) { %>
-        <tr class="chapter collapsed" data-location="<%= chapter.location %>" data-depth="1">
+        <tr class="chapter collapsed" data-location="<%- chapter.location %>" data-depth="1">
          <td class="unit">
            <button class="toggle-collapse ccx-button-link" aria-expanded="false">
              <i class="fa fa-caret-right"></i>
@@ -30,11 +30,11 @@
              </span>
            </button>
            <span class="sr">
-              <%- gettext('Section') %>&nbsp;</span><%= chapter.display_name %>
+              <%- gettext('Section') %>&nbsp;</span><%- chapter.display_name %>
          </td>
          <td class="date start-date">
            <button class="ccx-button-link">
-              <%= chapter.start %>
+              <%- chapter.start %>
              <span class="sr"><%- gettext('Click to change') %></span>
            </button>
          </td>
@@ -48,7 +48,7 @@
        </tr>
        <% _.each(chapter.children, function(child) { %>
          <tr class="sequential collapsed" data-depth="2"
-              data-location="<%= chapter.location %> <%= child.location %>">
+              data-location="<%- chapter.location %> <%- child.location %>">
            <td class="unit">
              <button class="toggle-collapse ccx-button-link" aria-expanded="false">
                 <i class="fa fa-caret-right"></i>
@@ -57,17 +57,17 @@
                      {displayName: child.display_name}, true) %>
                 </span>
              </button>
-              <span class="sr"><%- gettext('Subsection') %>&nbsp;</span><%= child.display_name %>
+              <span class="sr"><%- gettext('Subsection') %>&nbsp;</span><%- child.display_name %>
            </td>
            <td class="date start-date">
              <button class="ccx-button-link">
-                <%= child.start %>
+                <%- child.start %>
                <span class="sr"><%- gettext('Click to change') %></span>
              </button>
            </td>
            <td class="date due-date">
              <button class="ccx-button-link">
-                <%= child.due %>
+                <%- child.due %>
                <span class="sr"><%- gettext('Click to change') %></span>
              </button>
            </td>
@@ -78,14 +78,14 @@
          </tr>
          <% _.each(child.children, function(subchild) { %>
            <tr class="vertical" data-depth="3"
-                data-location="<%= chapter.location %> <%= child.location %> <%= subchild.location %>">
+                data-location="<%- chapter.location %> <%- child.location %> <%- subchild.location %>">
              <td class="unit">&nbsp;
                 <span class="sr"><%- gettext('Unit') %>&nbsp;</span>
-                 <%= subchild.display_name %>
+                 <%- subchild.display_name %>
              </td>
              <td class="date start-date no-link">
                <% if (subchild.start) { %>
-                  <%= subchild.start %>
+                  <%- subchild.start %>
                <% } else { %>
                  <%
                  // Translators: Unit's aka vertical start date is set to Unscheduled when user has not set start date on corresponding subsection aka sequential.
@@ -95,7 +95,7 @@
              </td>
              <td class="date due-date no-link">
                <% if (subchild.due) { %>
-                  <%= subchild.due %>
+                  <%- subchild.due %>
                <% } else { %>
                  <%
                  // Translators: Unit's aka vertical due date is set to Unscheduled when user has not set due date on corresponding subsection aka sequential.

--- a/lms/templates/ccx/student_admin.html
+++ b/lms/templates/ccx/student_admin.html
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <section>