Merge pull request #11861 from edx/efischer/escape_names

Escape full names

Merge pull request #11861 from edx/efischer/escape_names
Escape full names
6c6542ae · Eric Fischer · f3d000ec · ce2fded1 · 6c6542ae · 6c6542ae
Commit 6c6542ae authored Mar 21, 2016 by Eric Fischer
4 changed files
--- a/lms/templates/certificates/_accomplishment-banner.html
+++ b/lms/templates/certificates/_accomplishment-banner.html
@@ -40,7 +40,7 @@ from django.template.defaultfilters import escapejs
 <div class="wrapper-banner wrapper-banner-user">
    <section class="banner banner-user">
        <div class="message message-block message-notice">
-            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening}</h2>
+            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening | h}</h2>
            <div class="wrapper-copy-and-actions">
                <p class="message-copy copy copy-base emphasized">${accomplishment_banner_congrats}</p>
                <div class="message-actions">

--- a/lms/templates/certificates/_accomplishment-rendering.html
+++ b/lms/templates/certificates/_accomplishment-rendering.html
@@ -24,7 +24,7 @@ course_mode_class = course_mode if course_mode else ''
            <div class="wrapper-statement-and-signatories">
                <div class="accomplishment-statement">
                    <p class="accomplishment-statement-lead">
-                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name}</strong>
+                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name | h}</strong>
                        <span class="accomplishment-summary copy copy-lead">${accomplishment_copy_description_full}</span>

                        <span class="accomplishment-course hd-1 emphasized">
@@ -86,7 +86,7 @@ course_mode_class = course_mode if course_mode else ''

    <div class="wrapper-accomplishment-metadata">
        <div class="accomplishment-metadata">
-            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about}</h2>
+            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about | h}</h2>

            <div class="wrapper-metadata">
                <dl class="metadata accomplishment-recipient">
@@ -96,7 +96,7 @@ course_mode_class = course_mode if course_mode else ''
                            <img class="src" src="/static/certificates/images/demo-user-profile.png" alt="">
                        </span>
                        <div class="recipient-details">
-                            <h3 class="recipient-name">${accomplishment_copy_name}</h3>
+                            <h3 class="recipient-name">${accomplishment_copy_name | h}</h3>
                            <p class="recipient-username">${accomplishment_copy_username} @ ${platform_name}</p>
                        </div>
                    </dd>

--- a/lms/templates/instructor/instructor_dashboard_2/metrics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/metrics.html
@@ -91,7 +91,7 @@ from django.template.defaultfilters import escapejs
            $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);

            $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + '</td></tr>';
              $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
            });
            // If student list too long, append message to screen.
@@ -131,7 +131,7 @@ from django.template.defaultfilters import escapejs
            $('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);

            $.each(response.results, function(index, value ){
-              overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + "</td><td>" + value['grade'] + "</td><td>" + value['percent'] + '</td></tr>';
+              overlay_content = '<tr><td>' + _.escape(value['name']) + "</td><td>" + _.escape(value['username']) + "</td><td>" + _.escape(value['grade']) + "</td><td>" + _.escape(value['percent']) + '</td></tr>';
              $('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
            });
            // If student list too long, append message to screen.

--- a/lms/templates/verify_student/pay_and_verify.html
+++ b/lms/templates/verify_student/pay_and_verify.html
@@ -59,7 +59,7 @@ from lms.djangoapps.verify_student.views import PayAndVerifyView
    <div
      id="pay-and-verify-container"
      class="pay-and-verify"
-      data-full-name='${user_full_name}'
+      data-full-name='${user_full_name | h}'
      data-platform-name='${platform_name}'
      data-course-key='${course_key}'
      data-course-name='${course.display_name|h}'