Skip to content

E
edx-platform
Commit 432c5706 by Nimisha Asthagiri
Options

XSS Safe default - header.html, navigation.html, help_modal.html

parent 6eec5ac4
Showing with 81 additions and 46 deletions
cms/templates/widgets/header.html
<%page expression_filter="h"/>
<%namespace name='static' file='../static_content.html'/> <%namespace name='static' file='../static_content.html'/>
<%! <%!
from django.conf import settings from django.conf import settings
...@@ -36,8 +37,8 @@ ...@@ -36,8 +37,8 @@
<h2 class="info-course"> <h2 class="info-course">
<span class="sr">${_("Current Course:")}</span> <span class="sr">${_("Current Course:")}</span>
<a class="course-link" href="${index_url}"> <a class="course-link" href="${index_url}">
<span class="course-org">${context_course.display_org_with_default | h}</span><span class="course-number">${context_course.display_number_with_default | h}</span> <span class="course-org">${context_course.display_org_with_default}</span><span class="course-number">${context_course.display_number_with_default}</span>
<span class="course-title" title="${context_course.display_name_with_default_escaped}">${context_course.display_name_with_default_escaped}</span> <span class="course-title" title="${context_course.display_name_with_default}">${context_course.display_name_with_default}</span>
</a> </a>
</h2> </h2>
...@@ -139,8 +140,8 @@ ...@@ -139,8 +140,8 @@
<h2 class="info-course"> <h2 class="info-course">
<span class="sr">${_("Current Library:")}</span> <span class="sr">${_("Current Library:")}</span>
<a class="course-link" href="${index_url}"> <a class="course-link" href="${index_url}">
<span class="course-org">${context_library.display_org_with_default | h}</span><span class="course-number">${context_library.display_number_with_default | h}</span> <span class="course-org">${context_library.display_org_with_default}</span><span class="course-number">${context_library.display_number_with_default}</span>
<span class="course-title" title="${context_library.display_name_with_default_escaped}">${context_library.display_name_with_default_escaped}</span> <span class="course-title" title="${context_library.display_name_with_default}">${context_library.display_name_with_default}</span>
</a> </a>
</h2> </h2>
......
lms/templates/header.html
## mako ## mako
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<%include file="${static.get_themed_template_path(relative_path='theme-header.html', default_path='navigation.html')}" /> <%include file="${static.get_themed_template_path(relative_path='theme-header.html', default_path='navigation.html')}" />
lms/templates/help_modal.html
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<%! <%!
...@@ -6,6 +7,8 @@ import pytz ...@@ -6,6 +7,8 @@ import pytz
from django.conf import settings from django.conf import settings
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from openedx.core.djangolib.js_utils import js_escaped_string
from openedx.core.djangolib.markup import Text, HTML
from xmodule.tabs import CourseTabList from xmodule.tabs import CourseTabList
%> %>
...@@ -28,8 +31,8 @@ from xmodule.tabs import CourseTabList ...@@ -28,8 +31,8 @@ from xmodule.tabs import CourseTabList
<header> <header>
<h2> <h2>
${_('{platform_name} Help').format( ${Text(_('{platform_name} Help')).format(
platform_name=u'<span class="edx">{}</span>'.format(static.get_platform_name()) platform_name=HTML(u'<span class="edx">{}</span>').format(static.get_platform_name())
)} )}
</h2> </h2>
<hr> <hr>
...@@ -41,22 +44,30 @@ from xmodule.tabs import CourseTabList ...@@ -41,22 +44,30 @@ from xmodule.tabs import CourseTabList
%> %>
% if discussion_link: % if discussion_link:
<p>${_('For <strong>questions on course lectures, homework, tools, or materials for this course</strong>, post in the {link_start}course discussion forum{link_end}.').format( <p>${Text(_('For {strong_start}questions on course lectures, homework, tools, or materials for this course{strong_end}, post in the {link_start}course discussion forum{link_end}.')).format(
link_start='<a href="{url}" target="_blank">'.format(url=discussion_link), strong_start=HTML('<strong>'),
link_end='</a>', strong_end=HTML('</strong>'),
link_start=HTML('<a href="{url}" target="_blank">').format(
url=discussion_link
),
link_end=HTML('</a>'),
)} )}
</p> </p>
% endif % endif
<p>${_('Have <strong>general questions about {platform_name}</strong>? You can find lots of helpful information in the {platform_name} {link_start}FAQ{link_end}.').format( <p>${Text(_('Have {strong_start}general questions about {platform_name}{strong_end}? You can find lots of helpful information in the {platform_name} {link_start}FAQ{link_end}.')).format(
link_start='<a href="{url}" target="_blank">'.format( strong_start=HTML('<strong>'),
strong_end=HTML('</strong>'),
link_start=HTML('<a href="{url}" target="_blank">').format(
url=marketing_link('FAQ') url=marketing_link('FAQ')
), ),
link_end='</a>', link_end=HTML('</a>'),
platform_name=static.get_platform_name())} platform_name=static.get_platform_name())}
</p> </p>
<p>${_('Have a <strong>question about something specific</strong>? You can contact the {platform_name} general support team directly:').format( <p>${Text(_('Have a {strong_start}question about something specific{strong_end}? You can contact the {platform_name} general support team directly:')).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>'),
platform_name=static.get_platform_name() platform_name=static.get_platform_name()
)}</p> )}</p>
<hr> <hr>
...@@ -99,7 +110,7 @@ from xmodule.tabs import CourseTabList ...@@ -99,7 +110,7 @@ from xmodule.tabs import CourseTabList
<textarea name="details" id="feedback_form_details" aria-required="true"></textarea> <textarea name="details" id="feedback_form_details" aria-required="true"></textarea>
<input name="issue_type" type="hidden"> <input name="issue_type" type="hidden">
% if course: % if course:
<input name="course_id" type="hidden" value="${course.id.to_deprecated_string() | h}"> <input name="course_id" type="hidden" value="${unicode(course.id)}">
% endif % endif
<div class="submit"> <div class="submit">
<input name="submit" type="submit" value="${_('Submit')}" id="feedback_submit"> <input name="submit" type="submit" value="${_('Submit')}" id="feedback_submit">
...@@ -131,16 +142,16 @@ from xmodule.tabs import CourseTabList ...@@ -131,16 +142,16 @@ from xmodule.tabs import CourseTabList
close_time = "22:00" close_time = "22:00"
%> %>
<p> <p>
${_( ${Text(_(
'Thank you for your inquiry or feedback. We typically respond to a request ' 'Thank you for your inquiry or feedback. We typically respond to a request '
'within one business day (Monday to Friday, {open_time} UTC to {close_time} UTC.) In the meantime, please ' 'within one business day (Monday to Friday, {open_time} UTC to {close_time} UTC.) In the meantime, please '
'review our {link_start}detailed FAQs{link_end} where most questions have ' 'review our {link_start}detailed FAQs{link_end} where most questions have '
'already been answered.' 'already been answered.'
).format( )).format(
open_time=open_time, open_time=open_time,
close_time=close_time, close_time=close_time,
link_start='<a href="{}" target="_blank" id="feedback-faq-link" tabindex="0">'.format(marketing_link('FAQ')), link_start=HTML('<a href="{}" target="_blank" id="feedback-faq-link" tabindex="0">').format(marketing_link('FAQ')),
link_end='</a>' link_end=HTML('</a>')
)} )}
</p> </p>
</div> </div>
...@@ -201,29 +212,32 @@ from xmodule.tabs import CourseTabList ...@@ -201,29 +212,32 @@ from xmodule.tabs import CourseTabList
$("#feedback_link_problem").click(function(event) { $("#feedback_link_problem").click(function(event) {
showFeedback( showFeedback(
event, event,
"${_('problem')}", "${_('problem') | n, js_escaped_string}",
"${_('Report a Problem')}", "${_('Report a Problem') | n, js_escaped_string}",
"${_('Brief description of the problem')}" + "*", "${_('Brief description of the problem') + '*' | n, js_escaped_string}" ,
"${_('Details of the problem you are encountering')}" + "*" + "<span class='tip'>" + "${Text(_('Details of the problem you are encountering{asterisk}{begin_span}Include error messages, steps which lead to the issue, etc.{end_span}')).format(
"${_('Include error messages, steps which lead to the issue, etc.')}" + "</span>" asterisk='*',
begin_span=HTML('<span class=tip>'),
end_span=HTML('</span>'),
) | n, js_escaped_string}"
); );
}); });
$("#feedback_link_suggestion").click(function(event) { $("#feedback_link_suggestion").click(function(event) {
showFeedback( showFeedback(
event, event,
"${_('suggestion')}", "${_('suggestion') | n, js_escaped_string}",
"${_('Make a Suggestion')}", "${_('Make a Suggestion') | n, js_escaped_string}",
"${_('Brief description of your suggestion')}" + "*", "${_('Brief description of your suggestion') + '*' | n, js_escaped_string}",
"${_('Details')}" + "*" "${_('Details') + '*' | n, js_escaped_string}"
); );
}); });
$("#feedback_link_question").click(function(event) { $("#feedback_link_question").click(function(event) {
showFeedback( showFeedback(
event, event,
"${_('question')}", "${_('question') | n, js_escaped_string}",
"${_('Ask a Question')}", "${_('Ask a Question') | n, js_escaped_string}",
"${_('Brief summary of your question')}" + "*", "${_('Brief summary of your question') + '*' | n, js_escaped_string}",
"${_('Details')}" + "*" "${_('Details') + '*' | n, js_escaped_string}"
); );
}); });
$("#feedback_form").submit(function() { $("#feedback_form").submit(function() {
...@@ -251,21 +265,21 @@ from xmodule.tabs import CourseTabList ...@@ -251,21 +265,21 @@ from xmodule.tabs import CourseTabList
$("#feedback_error").html(responseData.error).stop().css("display", "block"); $("#feedback_error").html(responseData.error).stop().css("display", "block");
} else { } else {
// If no data (or malformed data) is returned, a server error occurred // If no data (or malformed data) is returned, a server error occurred
htmlStr = "${_('An error has occurred.')}"; htmlStr = "${_('An error has occurred.') | n, js_escaped_string}";
% if settings.FEEDBACK_SUBMISSION_EMAIL: % if settings.FEEDBACK_SUBMISSION_EMAIL:
htmlStr += " " + _.template( htmlStr += " " + "${Text(_('Please {link_start}send us e-mail{link_end}.')).format(
"${_('Please {link_start}send us e-mail{link_end}.')}", {interpolate: /\{(.+?)\}/g})( link_start=HTML('<a href="#" id="feedback_email">'),
{link_start: '<a href="#" id="feedback_email">', link_end: '</a>'} link_end=HTML('</a>'),
); ) | n, js_escaped_string}";
% else: % else:
// If no email is configured, we can't do much other than // If no email is configured, we can't do much other than
// ask the user to try again later // ask the user to try again later
htmlStr += " " + "${_('Please try again later.')}"; htmlStr += " " + "${_('Please try again later.') | n, js_escaped_string}";
% endif % endif
$("#feedback_error").html(htmlStr).stop().css("display", "block"); $("#feedback_error").html(htmlStr).stop().css("display", "block");
% if settings.FEEDBACK_SUBMISSION_EMAIL: % if settings.FEEDBACK_SUBMISSION_EMAIL:
$("#feedback_email").click(function(e) { $("#feedback_email").click(function(e) {
mailto = "mailto:" + "${settings.FEEDBACK_SUBMISSION_EMAIL}" + mailto = "mailto:" + "${settings.FEEDBACK_SUBMISSION_EMAIL | n, js_escaped_string}" +
"?subject=" + $("#feedback_form input[name='subject']").val() + "?subject=" + $("#feedback_form input[name='subject']").val() +
"&body=" + $("#feedback_form textarea[name='details']").val(); "&body=" + $("#feedback_form textarea[name='details']").val();
window.open(mailto); window.open(mailto);
......
lms/templates/navigation-edx.html
## mako ## mako
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<%namespace file='main.html' import="login_query"/> <%namespace file='main.html' import="login_query"/>
<%! <%!
...@@ -48,9 +49,9 @@ site_status_msg = get_site_status_msg(course_id) ...@@ -48,9 +49,9 @@ site_status_msg = get_site_status_msg(course_id)
% if course and not disable_courseware_header: % if course and not disable_courseware_header:
<h2 class="course-header"> <h2 class="course-header">
<span class="provider">${course.display_org_with_default | h}:</span> <span class="provider">${course.display_org_with_default}:</span>
<span class="course-number">${course.display_number_with_default | h}</span> <span class="course-number">${course.display_number_with_default}</span>
<span class="course-name">${course.display_name_with_default_escaped}</span> <span class="course-name">${course.display_name_with_default}</span>
</h2> </h2>
% endif % endif
...@@ -140,7 +141,15 @@ site_status_msg = get_site_status_msg(course_id) ...@@ -140,7 +141,15 @@ site_status_msg = get_site_status_msg(course_id)
</header> </header>
% if course: % if course:
<!--[if lte IE 9]> <!--[if lte IE 9]>
<div class="ie-banner" aria-hidden="true">${_('<strong>Warning:</strong> Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.').format(chrome_link='<a href="https://www.google.com/chrome" target="_blank">Chrome</a>', ff_link='<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>')}</div> <div class="ie-banner" aria-hidden="true">
${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
begin_strong=HTML('<strong>'),
end_strong=HTML('</strong>'),
chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
)
}
</div>
<![endif]--> <![endif]-->
% endif % endif
......
lms/templates/navigation.html
## mako ## mako
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<%namespace file='main.html' import="login_query"/> <%namespace file='main.html' import="login_query"/>
<%! <%!
...@@ -8,6 +9,7 @@ from django.utils.translation import ugettext as _ ...@@ -8,6 +9,7 @@ from django.utils.translation import ugettext as _
from lms.djangoapps.ccx.overrides import get_current_ccx from lms.djangoapps.ccx.overrides import get_current_ccx
from microsite_configuration import microsite from microsite_configuration import microsite
from microsite_configuration.templatetags.microsite import platform_name from microsite_configuration.templatetags.microsite import platform_name
from openedx.core.djangolib.markup import Text, HTML
from openedx.core.djangoapps.user_api.accounts.image_helpers import get_profile_image_urls_for_user from openedx.core.djangoapps.user_api.accounts.image_helpers import get_profile_image_urls_for_user
# App that handles subdomain specific branding # App that handles subdomain specific branding
...@@ -48,10 +50,10 @@ site_status_msg = get_site_status_msg(course_id) ...@@ -48,10 +50,10 @@ site_status_msg = get_site_status_msg(course_id)
</h1> </h1>
% if course: % if course:
<h2 class="course-header"><span class="provider">${course.display_org_with_default | h}:</span> <h2 class="course-header"><span class="provider">${course.display_org_with_default}:</span>
<span class="course-number">${course.display_number_with_default | h}</span> <span class="course-number">${course.display_number_with_default}</span>
<% <%
display_name = course.display_name_with_default_escaped display_name = course.display_name_with_default
if settings.FEATURES.get('CUSTOM_COURSES_EDX', False): if settings.FEATURES.get('CUSTOM_COURSES_EDX', False):
ccx = get_current_ccx(course.id) ccx = get_current_ccx(course.id)
if ccx: if ccx:
...@@ -194,7 +196,15 @@ site_status_msg = get_site_status_msg(course_id) ...@@ -194,7 +196,15 @@ site_status_msg = get_site_status_msg(course_id)
</header> </header>
% if course: % if course:
<!--[if lte IE 9]> <!--[if lte IE 9]>
<div class="ie-banner" aria-hidden="true">${_('<strong>Warning:</strong> Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.').format(chrome_link='<a href="https://www.google.com/chrome" target="_blank">Chrome</a>', ff_link='<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>')}</div> <div class="ie-banner" aria-hidden="true">
${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
begin_strong=HTML('<strong>'),
end_strong=HTML('</strong>'),
chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
)
}
</div>
<![endif]--> <![endif]-->
% endif % endif
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment