Added safe templating to instructor_analytics.html.

3ff09dee · Dennis Jen · 88aa4a90 · 3ff09dee · 3ff09dee
Commit 3ff09dee authored Mar 23, 2016 by Dennis Jen
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 12 deletions

lms/djangoapps/instructor/views/instructor_dashboard.py
+1 -10

lms/templates/instructor/instructor_dashboard_2/instructor_analytics.html
+22 -2

No files found.
--- a/lms/djangoapps/instructor/views/instructor_dashboard.py
+++ b/lms/djangoapps/instructor/views/instructor_dashboard.py
@@ -632,21 +632,12 @@ def _get_dashboard_link(course_key):

 def _section_analytics(course, access):
    """ Provide data for the corresponding dashboard section """
-    course_key = course.id
-    analytics_dashboard_url = '{0}/courses/{1}'.format(settings.ANALYTICS_DASHBOARD_URL, unicode(course_key))
-    link_start = "<a href=\"{}\" target=\"_blank\">".format(analytics_dashboard_url)
-    insights_message = _("For analytics about your course, go to {analytics_dashboard_name}.")
-
-    insights_message = insights_message.format(
-        analytics_dashboard_name=u'{0}{1}</a>'.format(link_start, settings.ANALYTICS_DASHBOARD_NAME)
-    )
    section_data = {
        'section_key': 'instructor_analytics',
        'section_display_name': _('Analytics'),
        'access': access,
-        'insights_message': insights_message,
+        'course_id': unicode(course.id),
    }
-
    return section_data



--- a/lms/templates/instructor/instructor_dashboard_2/instructor_analytics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/instructor_analytics.html
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
 <%page args="section_data"/>

+<%!
+from django.utils.encoding import escape_uri_path
+from django.utils.translation import ugettext as _
+
+from openedx.core.djangolib.markup import HTML, Text
+%>
+
 <div>
-  <p><em>${section_data['insights_message']}</em></p>
+    <p>
+        <em>
+            ${Text(_("For analytics about your course, go to {link_start}{analytics_dashboard_name}{link_end}.")).format(
+                link_start=HTML('<a href="{dashboard_url}" target="_blank">').format(
+                    dashboard_url=escape_uri_path('{base_url}/courses/{course_id}'.format(
+                        base_url=settings.ANALYTICS_DASHBOARD_URL,
+                        course_id=Text(section_data['course_id'])
+                    ))
+                ),
+                analytics_dashboard_name=settings.ANALYTICS_DASHBOARD_NAME,
+                link_end=HTML('</a>')
+            )}
+        </em>
+    </p>
 </div>