Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
E
edx-platform
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
edx
edx-platform
Commits
2c294816
Commit
2c294816
authored
Jun 07, 2013
by
Greg Price
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #106 from edx/release
Merge hotfix-2013-06-07
parents
6cf7d263
7af474fe
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
68 additions
and
8 deletions
+68
-8
lms/djangoapps/instructor/tests/test_xss.py
+63
-0
lms/djangoapps/instructor/views.py
+2
-5
lms/templates/courseware/instructor_dashboard.html
+3
-3
No files found.
lms/djangoapps/instructor/tests/test_xss.py
0 → 100644
View file @
2c294816
"""
Tests of various instructor dashboard features that include lists of students
"""
from
django.conf
import
settings
from
django.test
import
TestCase
from
django.test.client
import
RequestFactory
from
django.test.utils
import
override_settings
from
markupsafe
import
escape
from
courseware.tests.tests
import
TEST_DATA_MONGO_MODULESTORE
from
student.tests.factories
import
UserFactory
,
CourseEnrollmentFactory
from
xmodule.modulestore.tests.django_utils
import
ModuleStoreTestCase
from
xmodule.modulestore.tests.factories
import
CourseFactory
from
instructor
import
views
@override_settings
(
MODULESTORE
=
TEST_DATA_MONGO_MODULESTORE
)
class
TestXss
(
ModuleStoreTestCase
):
def
setUp
(
self
):
self
.
_request_factory
=
RequestFactory
()
self
.
_course
=
CourseFactory
.
create
()
self
.
_evil_student
=
UserFactory
.
create
(
email
=
"robot+evil@edx.org"
,
username
=
"evil-robot"
,
profile__name
=
'<span id="evil">Evil Robot</span>'
,
)
self
.
_instructor
=
UserFactory
.
create
(
email
=
"robot+instructor@edx.org"
,
username
=
"instructor"
,
is_staff
=
True
)
CourseEnrollmentFactory
.
create
(
user
=
self
.
_evil_student
,
course_id
=
self
.
_course
.
id
)
def
_test_action
(
self
,
action
):
"""
Test for XSS vulnerability in the given action
Build a request with the given action, call the instructor dashboard
view, and check that HTML code in a user's name is properly escaped.
"""
req
=
self
.
_request_factory
.
post
(
"dummy_url"
,
data
=
{
"action"
:
action
}
)
req
.
user
=
self
.
_instructor
req
.
session
=
{}
resp
=
views
.
instructor_dashboard
(
req
,
self
.
_course
.
id
)
respUnicode
=
resp
.
content
.
decode
(
settings
.
DEFAULT_CHARSET
)
self
.
assertNotIn
(
self
.
_evil_student
.
profile
.
name
,
respUnicode
)
self
.
assertIn
(
escape
(
self
.
_evil_student
.
profile
.
name
),
respUnicode
)
def
test_list_enrolled
(
self
):
self
.
_test_action
(
"List enrolled students"
)
def
test_dump_list_of_enrolled
(
self
):
self
.
_test_action
(
"Dump list of enrolled students"
)
def
test_dump_grades
(
self
):
self
.
_test_action
(
"Dump Grades for all students in this course"
)
lms/djangoapps/instructor/views.py
View file @
2c294816
...
@@ -5,6 +5,7 @@ from collections import defaultdict
...
@@ -5,6 +5,7 @@ from collections import defaultdict
import
csv
import
csv
import
json
import
json
import
logging
import
logging
from
markupsafe
import
escape
import
os
import
os
import
re
import
re
import
requests
import
requests
...
@@ -76,10 +77,6 @@ def instructor_dashboard(request, course_id):
...
@@ -76,10 +77,6 @@ def instructor_dashboard(request, course_id):
else
:
else
:
idash_mode
=
request
.
session
.
get
(
'idash_mode'
,
'Grades'
)
idash_mode
=
request
.
session
.
get
(
'idash_mode'
,
'Grades'
)
def
escape
(
s
):
"""escape HTML special characters in string"""
return
str
(
s
)
.
replace
(
'<'
,
'<'
)
.
replace
(
'>'
,
'>'
)
# assemble some course statistics for output to instructor
# assemble some course statistics for output to instructor
datatable
=
{
'header'
:
[
'Statistic'
,
'Value'
],
datatable
=
{
'header'
:
[
'Statistic'
,
'Value'
],
'title'
:
'Course Statistics At A Glance'
,
'title'
:
'Course Statistics At A Glance'
,
...
@@ -316,7 +313,7 @@ def instructor_dashboard(request, course_id):
...
@@ -316,7 +313,7 @@ def instructor_dashboard(request, course_id):
datatable
=
{
'header'
:
[
'Student email'
,
'Match?'
]}
datatable
=
{
'header'
:
[
'Student email'
,
'Match?'
]}
rg_students
=
[
x
[
'email'
]
for
x
in
rg_stud_data
[
'retdata'
]]
rg_students
=
[
x
[
'email'
]
for
x
in
rg_stud_data
[
'retdata'
]]
def
domatch
(
x
):
def
domatch
(
x
):
return
'
<font color="green">yes</font>'
if
x
.
email
in
rg_students
else
'<font color="red">No</font>
'
return
'
yes'
if
x
.
email
in
rg_students
else
'No
'
datatable
[
'data'
]
=
[[
x
.
email
,
domatch
(
x
)]
for
x
in
stud_data
[
'students'
]]
datatable
[
'data'
]
=
[[
x
.
email
,
domatch
(
x
)]
for
x
in
stud_data
[
'students'
]]
datatable
[
'title'
]
=
action
datatable
[
'title'
]
=
action
...
...
lms/templates/courseware/instructor_dashboard.html
View file @
2c294816
...
@@ -539,17 +539,17 @@ function goto( mode)
...
@@ -539,17 +539,17 @@ function goto( mode)
<br/>
<br/>
<p>
<p>
<hr
width=
"100%"
>
<hr
width=
"100%"
>
<h2>
${datatable['title']}
</h2>
<h2>
${datatable['title']
| h
}
</h2>
<table
class=
"stat_table"
>
<table
class=
"stat_table"
>
<tr>
<tr>
%for hname in datatable['header']:
%for hname in datatable['header']:
<th>
${hname}
</th>
<th>
${hname
| h
}
</th>
%endfor
%endfor
</tr>
</tr>
%for row in datatable['data']:
%for row in datatable['data']:
<tr>
<tr>
%for value in row:
%for value in row:
<td>
${value}
</td>
<td>
${value
| h
}
</td>
%endfor
%endfor
</tr>
</tr>
%endfor
%endfor
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
