Merge pull request #11883 from edx/cdyer/safe-marathon-1

Added safety to lms/templates/student_account/account_settings.html

common/test/acceptance/tests/lms/test_account_settings.py

@@ -286,7 +286,7 @@ class AccountSettingsPageTest(AccountSettingsTestMixin, WebAppTest):
             u'email',
             u'Email Address',
             email,
-            u'@',
+            u'test@example.com' + XSS_INJECTION,
             [u'me@here.com', u'you@there.com'],
             success_message='Click the link in the message to update your email address.',
             assert_after_reload=False

lms/static/js/student_account/models/user_account_model.js

@@ -34,23 +34,27 @@
                 // Currently when a non-staff user A access user B's profile, the only way to tell whether user B's
                 // profile is public is to check if the api has returned fields other than the default public fields
                 // specified in settings.ACCOUNT_VISIBILITY_CONFIGURATION.
-                var responseKeys = _.filter(_.keys(response), function (key) {return key !== 'default_public_account_fields'});
-                response.profile_is_public = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
-
-  	            return response;
+                var responseKeys = _.filter(_.keys(response), function (key) {
+                        return key !== 'default_public_account_fields';
+                });
+                
+                var isPublic = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
+                response.profile_is_public = isPublic;
+                return response;
             },
 
             hasProfileImage: function () {
                 var profile_image = this.get('profile_image');
-                return (_.isObject(profile_image) && profile_image['has_image'] === true);
+                return (_.isObject(profile_image) && profile_image.has_image === true);
             },
 
             profileImageUrl: function () {
-                return this.get('profile_image')['image_url_large'];
+                return this.get('profile_image').image_url_large;
             },
 
             isAboveMinimumAge: function() {
-                var isBirthDefined = !(_.isUndefined(this.get('year_of_birth')) || _.isNull(this.get('year_of_birth')));
+                var yearOfBirth = this.get('year_of_birth');
+                var isBirthDefined = !(_.isUndefined(yearOfBirth) || _.isNull(yearOfBirth));
                 return isBirthDefined && !(this.get("requires_parental_consent"));
             }
         });

lms/templates/dashboard/_dashboard_third_party_error.html

+<%page expression_filter="h"/>
+
 <%! from django.utils.translation import ugettext as _ %>
 <div class="wrapper-msg urgency-high">
     <div class="msg">

lms/templates/student_account/account_settings.html

+<%page expression_filter="h"/>
+
 <%!
 import json
+
 from django.core.urlresolvers import reverse
 from django.conf import settings
 from django.utils.translation import ugettext as _
+
+from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>
 
 <!--<%namespace name='static' file='/static_content.html'/>-->
@@ -27,12 +32,17 @@ from django.utils.translation import ugettext as _
 
 <%block name="js_extra">
 <%static:require_module module_name="js/student_account/views/account_settings_factory" class_name="AccountSettingsFactory">
-    var fieldsData = ${ json.dumps(fields) };
-    var authData = ${ json.dumps(auth) };
-    var platformName = ${json.dumps(static.get_platform_name())};
+    var fieldsData = ${ fields | n, dump_js_escaped_json };
+    var authData = ${ auth | n, dump_js_escaped_json };
+    var platformName = '${ static.get_platform_name() | n, js_escaped_string }';
 
     AccountSettingsFactory(
-        fieldsData, authData, '${user_accounts_api_url}', '${user_preferences_api_url}', ${user.id}, platformName
+        fieldsData, 
+        authData,
+        '${ user_accounts_api_url | n, js_escaped_string }',
+        '${ user_preferences_api_url | n, js_escaped_string }',
+        ${ user.id | n, dump_js_escaped_json },
+        platformName
     );
 </%static:require_module>
 </%block>