Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
E
edx-platform
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
edx
edx-platform
Commits
2c294816
Commit
2c294816
authored
Jun 07, 2013
by
Greg Price
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #106 from edx/release
Merge hotfix-2013-06-07
parents
6cf7d263
7af474fe
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
68 additions
and
8 deletions
+68
-8
lms/djangoapps/instructor/tests/test_xss.py
+63
-0
lms/djangoapps/instructor/views.py
+2
-5
lms/templates/courseware/instructor_dashboard.html
+3
-3
No files found.
lms/djangoapps/instructor/tests/test_xss.py
0 → 100644
View file @
2c294816
"""
Tests of various instructor dashboard features that include lists of students
"""
from
django.conf
import
settings
from
django.test
import
TestCase
from
django.test.client
import
RequestFactory
from
django.test.utils
import
override_settings
from
markupsafe
import
escape
from
courseware.tests.tests
import
TEST_DATA_MONGO_MODULESTORE
from
student.tests.factories
import
UserFactory
,
CourseEnrollmentFactory
from
xmodule.modulestore.tests.django_utils
import
ModuleStoreTestCase
from
xmodule.modulestore.tests.factories
import
CourseFactory
from
instructor
import
views
@override_settings
(
MODULESTORE
=
TEST_DATA_MONGO_MODULESTORE
)
class
TestXss
(
ModuleStoreTestCase
):
def
setUp
(
self
):
self
.
_request_factory
=
RequestFactory
()
self
.
_course
=
CourseFactory
.
create
()
self
.
_evil_student
=
UserFactory
.
create
(
email
=
"robot+evil@edx.org"
,
username
=
"evil-robot"
,
profile__name
=
'<span id="evil">Evil Robot</span>'
,
)
self
.
_instructor
=
UserFactory
.
create
(
email
=
"robot+instructor@edx.org"
,
username
=
"instructor"
,
is_staff
=
True
)
CourseEnrollmentFactory
.
create
(
user
=
self
.
_evil_student
,
course_id
=
self
.
_course
.
id
)
def
_test_action
(
self
,
action
):
"""
Test for XSS vulnerability in the given action
Build a request with the given action, call the instructor dashboard
view, and check that HTML code in a user's name is properly escaped.
"""
req
=
self
.
_request_factory
.
post
(
"dummy_url"
,
data
=
{
"action"
:
action
}
)
req
.
user
=
self
.
_instructor
req
.
session
=
{}
resp
=
views
.
instructor_dashboard
(
req
,
self
.
_course
.
id
)
respUnicode
=
resp
.
content
.
decode
(
settings
.
DEFAULT_CHARSET
)
self
.
assertNotIn
(
self
.
_evil_student
.
profile
.
name
,
respUnicode
)
self
.
assertIn
(
escape
(
self
.
_evil_student
.
profile
.
name
),
respUnicode
)
def
test_list_enrolled
(
self
):
self
.
_test_action
(
"List enrolled students"
)
def
test_dump_list_of_enrolled
(
self
):
self
.
_test_action
(
"Dump list of enrolled students"
)
def
test_dump_grades
(
self
):
self
.
_test_action
(
"Dump Grades for all students in this course"
)
lms/djangoapps/instructor/views.py
View file @
2c294816
...
...
@@ -5,6 +5,7 @@ from collections import defaultdict
import
csv
import
json
import
logging
from
markupsafe
import
escape
import
os
import
re
import
requests
...
...
@@ -76,10 +77,6 @@ def instructor_dashboard(request, course_id):
else
:
idash_mode
=
request
.
session
.
get
(
'idash_mode'
,
'Grades'
)
def
escape
(
s
):
"""escape HTML special characters in string"""
return
str
(
s
)
.
replace
(
'<'
,
'<'
)
.
replace
(
'>'
,
'>'
)
# assemble some course statistics for output to instructor
datatable
=
{
'header'
:
[
'Statistic'
,
'Value'
],
'title'
:
'Course Statistics At A Glance'
,
...
...
@@ -316,7 +313,7 @@ def instructor_dashboard(request, course_id):
datatable
=
{
'header'
:
[
'Student email'
,
'Match?'
]}
rg_students
=
[
x
[
'email'
]
for
x
in
rg_stud_data
[
'retdata'
]]
def
domatch
(
x
):
return
'
<font color="green">yes</font>'
if
x
.
email
in
rg_students
else
'<font color="red">No</font>
'
return
'
yes'
if
x
.
email
in
rg_students
else
'No
'
datatable
[
'data'
]
=
[[
x
.
email
,
domatch
(
x
)]
for
x
in
stud_data
[
'students'
]]
datatable
[
'title'
]
=
action
...
...
lms/templates/courseware/instructor_dashboard.html
View file @
2c294816
...
...
@@ -539,17 +539,17 @@ function goto( mode)
<br/>
<p>
<hr
width=
"100%"
>
<h2>
${datatable['title']}
</h2>
<h2>
${datatable['title']
| h
}
</h2>
<table
class=
"stat_table"
>
<tr>
%for hname in datatable['header']:
<th>
${hname}
</th>
<th>
${hname
| h
}
</th>
%endfor
</tr>
%for row in datatable['data']:
<tr>
%for value in row:
<td>
${value}
</td>
<td>
${value
| h
}
</td>
%endfor
</tr>
%endfor
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment