Skip to content

E
edx-platform
Commit 2c7241a3 by Cliff Dyer
Options

Merge pull request #11883 from edx/cdyer/safe-marathon-1 

Added safety to lms/templates/student_account/account_settings.html
parents db3b2f0c 32729eb8
Showing with 28 additions and 12 deletions
common/test/acceptance/tests/lms/test_account_settings.py
......@@ -286,7 +286,7 @@ class AccountSettingsPageTest(AccountSettingsTestMixin, WebAppTest):
u'email',
u'Email Address',
email,
u'@',
u'test@example.com' + XSS_INJECTION,
[u'me@here.com', u'you@there.com'],
success_message='Click the link in the message to update your email address.',
assert_after_reload=False
......
lms/static/js/student_account/models/user_account_model.js
......@@ -34,23 +34,27 @@
// Currently when a non-staff user A access user B's profile, the only way to tell whether user B's
// profile is public is to check if the api has returned fields other than the default public fields
// specified in settings.ACCOUNT_VISIBILITY_CONFIGURATION.
var responseKeys = _.filter(_.keys(response), function (key) {return key !== 'default_public_account_fields'});
response.profile_is_public = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
return response;
var responseKeys = _.filter(_.keys(response), function (key) {
return key !== 'default_public_account_fields';
});
var isPublic = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
response.profile_is_public = isPublic;
return response;
},
hasProfileImage: function () {
var profile_image = this.get('profile_image');
return (_.isObject(profile_image) && profile_image['has_image'] === true);
return (_.isObject(profile_image) && profile_image.has_image === true);
},
profileImageUrl: function () {
return this.get('profile_image')['image_url_large'];
return this.get('profile_image').image_url_large;
},
isAboveMinimumAge: function() {
var isBirthDefined = !(_.isUndefined(this.get('year_of_birth')) || _.isNull(this.get('year_of_birth')));
var yearOfBirth = this.get('year_of_birth');
var isBirthDefined = !(_.isUndefined(yearOfBirth) || _.isNull(yearOfBirth));
return isBirthDefined && !(this.get("requires_parental_consent"));
}
});
......
lms/templates/dashboard/_dashboard_third_party_error.html
<%page expression_filter="h"/>
<%! from django.utils.translation import ugettext as _ %>
<div class="wrapper-msg urgency-high">
<div class="msg">
......
lms/templates/student_account/account_settings.html
<%page expression_filter="h"/>
<%!
import json
from django.core.urlresolvers import reverse
from django.conf import settings
from django.utils.translation import ugettext as _
from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
%>
<!--<%namespace name='static' file='/static_content.html'/>-->
......@@ -27,12 +32,17 @@ from django.utils.translation import ugettext as _
<%block name="js_extra">
<%static:require_module module_name="js/student_account/views/account_settings_factory" class_name="AccountSettingsFactory">
var fieldsData = ${ json.dumps(fields) };
var authData = ${ json.dumps(auth) };
var platformName = ${json.dumps(static.get_platform_name())};
var fieldsData = ${ fields | n, dump_js_escaped_json };
var authData = ${ auth | n, dump_js_escaped_json };
var platformName = '${ static.get_platform_name() | n, js_escaped_string }';
AccountSettingsFactory(
fieldsData, authData, '${user_accounts_api_url}', '${user_preferences_api_url}', ${user.id}, platformName
fieldsData,
authData,
'${ user_accounts_api_url | n, js_escaped_string }',
'${ user_preferences_api_url | n, js_escaped_string }',
${ user.id | n, dump_js_escaped_json },
platformName
);
</%static:require_module>
</%block>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment