Merge pull request #11551 from edx/mushtaq/fix-tnl4006

Studio homepage escaping

Merge pull request #11551 from edx/mushtaq/fix-tnl4006
Studio homepage escaping
689bb73b · Mushtaq Ali · dcb04cb0 · 7a9991e9 · 689bb73b · 689bb73b
Commit 689bb73b authored Feb 18, 2016 by Mushtaq Ali
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 2 deletions

cms/djangoapps/contentstore/tests/test_course_listing.py
+28 -1

cms/djangoapps/contentstore/views/tests/test_programs.py
+2 -1

cms/templates/index.html
+0 -0

No files found.
--- a/cms/djangoapps/contentstore/tests/test_course_listing.py
+++ b/cms/djangoapps/contentstore/tests/test_course_listing.py
@@ -9,6 +9,9 @@ from mock import patch, Mock
 import ddt

 from django.test import RequestFactory
+from django.test.client import Client
+
+from common.test.utils import XssTestMixin
 from xmodule.course_module import CourseSummary

 from contentstore.views.course import (_accessible_courses_list, _accessible_courses_list_from_groups,
@@ -30,7 +33,7 @@ USER_COURSES_COUNT = 50


 @ddt.ddt
-class TestCourseListing(ModuleStoreTestCase):
+class TestCourseListing(ModuleStoreTestCase, XssTestMixin):
    """
    Unit tests for getting the list of courses for a logged in user
    """
@@ -72,6 +75,30 @@ class TestCourseListing(ModuleStoreTestCase):
        self.client.logout()
        ModuleStoreTestCase.tearDown(self)

+    def test_course_listing_is_escaped(self):
+        """
+        Tests course listing returns escaped data.
+        """
+        escaping_content = "<script>alert('ESCAPE')</script>"
+
+        # Make user staff to access course listing
+        self.user.is_staff = True
+        self.user.save()  # pylint: disable=no-member
+
+        self.client = Client()
+        self.client.login(username=self.user.username, password='test')
+
+        # Change 'display_coursenumber' field and update the course.
+        course = CourseFactory.create()
+        course.display_coursenumber = escaping_content
+        course = self.store.update_item(course, self.user.id)  # pylint: disable=no-member
+        self.assertEqual(course.display_coursenumber, escaping_content)
+
+        # Check if response is escaped
+        response = self.client.get('/home')
+        self.assertEqual(response.status_code, 200)
+        self.assert_no_xss(response, escaping_content)
+
    def test_get_course_list(self):
        """
        Test getting courses with new access group format e.g. 'instructor_edx.course.run'

--- a/cms/djangoapps/contentstore/views/tests/test_programs.py
+++ b/cms/djangoapps/contentstore/views/tests/test_programs.py
@@ -10,6 +10,7 @@ from provider.constants import CONFIDENTIAL

 from openedx.core.djangoapps.programs.models import ProgramsApiConfig
 from openedx.core.djangoapps.programs.tests.mixins import ProgramsApiConfigMixin, ProgramsDataMixin
+from openedx.core.djangolib.markup import escape
 from student.tests.factories import UserFactory
 from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase

@@ -63,7 +64,7 @@ class TestProgramListing(ProgramsApiConfigMixin, ProgramsDataMixin, SharedModule
        self.mock_programs_api(data={'results': []})

        response = self.client.get(self.studio_home)
-        self.assertIn("You haven't created any programs yet.", response.content)
+        self.assertIn(escape("You haven't created any programs yet."), response.content)

        # When data is provided, expect a program listing.
        self.mock_programs_api()

--- a/cms/templates/index.html
+++ b/cms/templates/index.html