Merge pull request #11924 from edx/sstudent/safe_video_template

Sstudent/safe video template

Merge pull request #11924 from edx/sstudent/safe_video_template
Sstudent/safe video template
5ec01207 · sanfordstudent · 4a496e7d · 3d6fb38d · 5ec01207 · 5ec01207
Commit 5ec01207 authored Mar 24, 2016 by sanfordstudent
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 7 deletions

common/lib/xmodule/xmodule/video_module/video_module.py
+2 -0

lms/templates/video.html
+14 -7

No files found.
--- a/common/lib/xmodule/xmodule/video_module/video_module.py
+++ b/common/lib/xmodule/xmodule/video_module/video_module.py
@@ -108,6 +108,8 @@ class VideoModule(VideoFields, VideoTranscriptsMixin, VideoStudentViewHandlers, 
    # To make sure that js files are called in proper order we use numerical
    # index. We do that to avoid issues that occurs in tests.
    module = __name__.replace('.video_module', '', 2)
+
+    #TODO: For each of the following, ensure that any generated html is properly escaped.
    js = {
        'js': [
            resource_string(module, 'js/src/video/00_component.js'),

--- a/lms/templates/video.html
+++ b/lms/templates/video.html
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>

+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import js_escaped_string
+%>
 % if display_name is not UNDEFINED and display_name is not None:
    <h3 class="hd hd-2">${display_name}</h3>
 % endif
@@ -89,27 +93,29 @@
 </div>
 % if cdn_eval:
 <script>
+  //TODO: refactor this js into a separate file.
  function sendPerformanceBeacon(id, expgroup, value, event_name) {
    var data = {event: event_name, id: id, expgroup: expgroup, value: value, page: "html5vid"};
    $.ajax({method: "POST", url: "/performance", data: data});
  }
  var cdnStartTime;
  var salt = Math.floor((1 + Math.random()) * 0x100000).toString(36);
+  var id = "${id | n, js_escaped_string}";
  function initializeCDNExperiment() {
-    sendPerformanceBeacon("${id}_" + salt, ${cdn_exp_group}, "", "load");
+    sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, "", "load");
    cdnStartTime = Date.now();
    $.each(['loadstart', 'abort', 'error', 'stalled', 'loadedmetadata',
                    'loadeddata', 'canplay', 'canplaythrough', 'seeked'],
                    function(index, eventName) {
-      $("#video_${id}").bind("html5:" + eventName, null, function() {
+      $("#video_" + id).bind("html5:" + eventName, null, function() {
        timeElapsed = Date.now() - cdnStartTime;
-        sendPerformanceBeacon("${id}_" + salt, ${cdn_exp_group}, timeElapsed, eventName);
+        sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, timeElapsed, eventName);
      });
    });
  }
-  $("#video_${id}").bind("initialize", null, initializeCDNExperiment);
-  if ($("#video_${id}").hasClass("is-initialized")) {
+  $("#video_" + id).bind("initialize", null, initializeCDNExperiment);
+  if ($("#video_" + id).hasClass("is-initialized")) {
    initializeCDNExperiment();
  }
 </script>
-% endif;
+% endif;
\ No newline at end of file