XSS Safe Default - dashboard

6eec5ac4 · Nimisha Asthagiri · 15e5a7db · 6eec5ac4 · 6eec5ac4 · 6eec5ac4
Commit 6eec5ac4 authored Mar 23, 2016 by Nimisha Asthagiri
5 changed files
--- a/common/djangoapps/student/tests/tests.py
+++ b/common/djangoapps/student/tests/tests.py
@@ -249,11 +249,14 @@ class DashboardTest(ModuleStoreTestCase):
        Test that the certificate verification status for courses is visible on the dashboard.
        """
        self.client.login(username="jack", password="test")
-        self._check_verification_status_on('verified', 'You\'re enrolled as a verified student')
-        self._check_verification_status_on('honor', 'You\'re enrolled as an honor code student')
+        self._check_verification_status_on('verified', 'You&#39;re enrolled as a verified student')
+        self._check_verification_status_on('honor', 'You&#39;re enrolled as an honor code student')
        self._check_verification_status_off('audit', '')
-        self._check_verification_status_on('professional', 'You\'re enrolled as a professional education student')
-        self._check_verification_status_on('no-id-professional', 'You\'re enrolled as a professional education student')
+        self._check_verification_status_on('professional', 'You&#39;re enrolled as a professional education student')
+        self._check_verification_status_on(
+            'no-id-professional',
+            'You&#39;re enrolled as a professional education student',
+        )

    @unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms')
    def _check_verification_status_off(self, mode, value):

--- a/lms/templates/dashboard.html
+++ b/lms/templates/dashboard.html
+<%page expression_filter="h"/>
 <%inherit file="main.html" />
 <%namespace name='static' file='static_content.html'/>
 <%!
+from django.core.urlresolvers import reverse
 from django.utils.translation import ugettext as _
 from django.template import RequestContext
 import third_party_auth
 from third_party_auth import pipeline
-from django.core.urlresolvers import reverse
-import json
+from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>

 <%
@@ -39,9 +40,9 @@ import json
  <script type="text/javascript">
    $(document).ready(function() {
      edx.dashboard.legacy.init({
-        dashboard: "${reverse('dashboard')}",
-        signInUser: "${reverse('signin_user')}",
-        changeEmailSettings: "${reverse('change_email_settings')}"
+        dashboard: "${reverse('dashboard') | n, js_escaped_string}",
+        signInUser: "${reverse('signin_user') | n, js_escaped_string}",
+        changeEmailSettings: "${reverse('change_email_settings') | n, js_escaped_string}"
      });
    });
  </script>
@@ -54,7 +55,7 @@ import json
    <%static:require_module module_name="js/views/message_banner" class_name="MessageBannerView">
        var banner = new MessageBannerView({urgency: 'low', type: 'warning'});
        $('#content').prepend(banner.$el);
-        banner.showMessage(${json.dumps(redirect_message)})
+        banner.showMessage(${redirect_message | n, dump_js_escaped_json})
    </%static:require_module>
  % endif
 </%block>
@@ -117,7 +118,7 @@ import json
        <h2>${_("Course-loading errors")}</h2>

      % for course_dir, errors in errored_courses.items():
-         <h3>${course_dir | h}</h3>
+         <h3>${course_dir}</h3>
             <ul>
           % for (msg, err) in errors:
               <li>${msg}

--- a/lms/templates/dashboard/_dashboard_course_listing.html
+++ b/lms/templates/dashboard/_dashboard_course_listing.html
--- a/lms/templates/dashboard/_dashboard_status_verification.html
+++ b/lms/templates/dashboard/_dashboard_status_verification.html
+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
 <%!
 from django.utils.translation import ugettext as _

--- a/themes/edx.org/lms/templates/dashboard.html
+++ b/themes/edx.org/lms/templates/dashboard.html
+<%page expression_filter="h"/>
 <%inherit file="main.html" />
 <%namespace name='static' file='static_content.html'/>
 <%!
@@ -8,6 +9,7 @@ from third_party_auth import pipeline
 from microsite_configuration import microsite
 from django.core.urlresolvers import reverse
 import json
+from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>

 <%
@@ -40,9 +42,9 @@ import json
  <script type="text/javascript">
    $(document).ready(function() {
      edx.dashboard.legacy.init({
-        dashboard: "${reverse('dashboard')}",
-        signInUser: "${reverse('signin_user')}",
-        changeEmailSettings: "${reverse('change_email_settings')}"
+        dashboard: "${reverse('dashboard') | n, js_escaped_string}",
+        signInUser: "${reverse('signin_user') | n, js_escaped_string}",
+        changeEmailSettings: "${reverse('change_email_settings') | n, js_escaped_string}"
      });
    });
  </script>
@@ -55,7 +57,7 @@ import json
    <%static:require_module module_name="js/views/message_banner" class_name="MessageBannerView">
        var banner = new MessageBannerView({urgency: 'low', type: 'warning'});
        $('#content').prepend(banner.$el);
-        banner.showMessage(${json.dumps(redirect_message)})
+        banner.showMessage(${redirect_message | n, dump_js_escaped_json})
    </%static:require_module>
  % endif
 </%block>
@@ -118,7 +120,7 @@ import json
        <h2>${_("Course-loading errors")}</h2>

      % for course_dir, errors in errored_courses.items():
-         <h3>${course_dir | h}</h3>
+         <h3>${course_dir}</h3>
             <ul>
           % for (msg, err) in errors:
               <li>${msg}