Skip to content

E
edx-platform
Commit 77a04daa by Calen Pennington
Options

Properly escape CourseKeys and UsageKeys in html templates 

[LMS-11372]
[LMS-11370]
parent c5ae921d
Showing with 108 additions and 96 deletions
cms/templates/base.html
## -*- coding: utf-8 -*-
<%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%namespace name='static' file='static_content.html'/>
<!doctype html>
......@@ -14,7 +15,7 @@
<%block name="title"></%block> |
% if context_course:
<% ctx_loc = context_course.location %>
${context_course.display_name_with_default} |
${context_course.display_name_with_default | h} |
% endif
edX Studio
</title>
......@@ -329,7 +330,7 @@
<script type="text/javascript">
require(['js/models/course'], function(Course) {
window.course = new Course({
id: "${context_course.id}",
id: "${context_course.id | escapejs}",
name: "${context_course.display_name_with_default | h}",
url_name: "${context_course.location.name | h}",
org: "${context_course.location.org | h}",
......
cms/templates/container.html
......@@ -115,7 +115,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal",
<article class="content-primary">
<div class="container-message wrapper-message"></div>
<section class="wrapper-xblock level-page is-hidden studio-xblock-wrapper" data-locator="${xblock_locator}" data-course-key="${xblock_locator.course_key}">
<section class="wrapper-xblock level-page is-hidden studio-xblock-wrapper" data-locator="${xblock_locator | h}" data-course-key="${xblock_locator.course_key | h}">
</section>
<div class="ui-loading">
<p><span class="spin"><i class="icon-refresh"></i></span> <span class="copy">${_("Loading...")}</span></p>
......@@ -138,7 +138,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal",
<div class="wrapper-unit-id bar-mod-content">
<h5 class="title">${_("Location ID")}</h5>
<p class="unit-id">
<span class="unit-id-value" id="unit-location-id-input">${unit.location.name}</span>
<span class="unit-id-value" id="unit-location-id-input">${unit.location.name | h}</span>
<span class="tip"><span class="sr">Tip: </span>${_("Use this ID when you create links to this unit from other course content. You enter the ID in the URL field.")}</span>
</p>
</div>
......
cms/templates/course-create-rerun.html
......@@ -2,6 +2,7 @@
<%def name="online_help_token()"><% return "course_rerun" %></%def>
<%! from django.utils.translation import ugettext as _ %>
<%! from django.core.urlresolvers import reverse %>
<%! from django.template.defaultfilters import escapejs %>
<%block name="title">${_("Create a Course Rerun of:")}</%block>
<%block name="bodyclass">is-signedin view-course-create view-course-create-rerun</%block>
......@@ -13,7 +14,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
});
</script>
<script type="text/javascript">
var source_course_key = "${source_course_key}"
var source_course_key = "${source_course_key | escapejs}"
</script>
</%block>
......@@ -37,7 +38,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
<h2 class="page-header-super course-original">
<span class="sr">${_("You are creating a re-run from:")}</span>
<span class="course-original-title-id">${source_course_key.org} ${source_course_key.course} ${source_course_key.run}</span>
<span class="course-original-title-id">${source_course_key.org | h} ${source_course_key.course | h} ${source_course_key.run | h}</span>
<span class="course-original-title">${display_name}</span>
</h2>
</header>
......@@ -79,7 +80,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
</li>
<li class="field text required" id="field-organization">
<label for="rerun-course-org">${_("Organization")}</label>
<input class="rerun-course-org" id="rerun-course-org" type="text" name="rerun-course-org" aria-required="true" value="${source_course_key.org}" placeholder="${_('e.g. UniversityX or OrganizationX')}" />
<input class="rerun-course-org" id="rerun-course-org" type="text" name="rerun-course-org" aria-required="true" value="${source_course_key.org | h}" placeholder="${_('e.g. UniversityX or OrganizationX')}" />
<span class="tip">
${_("The name of the organization sponsoring the new course. (This name is often the same as the original organization name.)")}
<strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong>
......@@ -90,7 +91,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
<li class="row">
<div class="column field text required" id="field-course-number">
<label for="rerun-course-number">${_("Course Number")}</label>
<input class="rerun-course-number" id="rerun-course-number" type="text" name="rerun-course-number" aria-required="true" value="${source_course_key.course}" placeholder="${_('e.g. CS101')}" />
<input class="rerun-course-number" id="rerun-course-number" type="text" name="rerun-course-number" aria-required="true" value="${source_course_key.course | h}" placeholder="${_('e.g. CS101')}" />
<span class="tip">
${_("The unique number that identifies the new course within the organization. (This number is often the same as the original course number.)")}
<strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong>
......
cms/templates/course_info.html
<%!
<%!
from django.utils.translation import ugettext as _
from django.template.defaultfilters import escapejs
%>
<%inherit file="base.html" />
<%def name="online_help_token()"><% return "updates" %></%def>
......@@ -20,7 +21,7 @@
<%block name="jsextra">
<script type="text/javascript" charset="utf-8">
require(["domReady!", "jquery", "js/collections/course_update", "js/models/module_info", "js/models/course_info", "js/views/course_info_edit"],
function(doc, $, CourseUpdateCollection, ModuleInfoModel, CourseInfoModel, CourseInfoEditView) {
var course_updates = new CourseUpdateCollection();
......@@ -28,7 +29,7 @@ require(["domReady!", "jquery", "js/collections/course_update", "js/models/modul
course_updates.fetch({reset: true});
var course_handouts = new ModuleInfoModel({
id: '${handouts_locator}'
id: '${handouts_locator | escapejs}'
});
var editor = new CourseInfoEditView({
......
cms/templates/course_outline.html
......@@ -73,7 +73,7 @@ from contentstore.utils import reverse_usage_url
<h3 class="sr">${_("Page Actions")}</h3>
<ul>
<li class="nav-item">
<a href="#" class="button button-new" data-category="chapter" data-parent="${context_course.location}" data-default-name="${_('Section')}" title="${_('Click to add a new section')}">
<a href="#" class="button button-new" data-category="chapter" data-parent="${context_course.location | h}" data-default-name="${_('Section')}" title="${_('Click to add a new section')}">
<i class="icon-plus"></i>${_('New Section')}
</a>
</li>
......@@ -116,7 +116,7 @@ from contentstore.utils import reverse_usage_url
course_locator = context_course.location
%>
<h2 class="sr">${_("Course Outline")}</h2>
<article class="outline outline-complex outline-course" data-locator="${course_locator}" data-course-key="${course_locator.course_key}">
<article class="outline outline-complex outline-course" data-locator="${course_locator | h}" data-course-key="${course_locator.course_key | h}">
</article>
</div>
<div class="ui-loading">
......@@ -139,7 +139,7 @@ from contentstore.utils import reverse_usage_url
<div class="bit external-help">
<a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>
</div>
</aside>
</section>
</div>
......
cms/templates/edit-tabs.html
......@@ -5,6 +5,7 @@
from django.utils.translation import ugettext as _
from django.core.urlresolvers import reverse
from xmodule.tabs import StaticTab
from django.template.defaultfilters import escapejs
%>
<%block name="title">${_("Pages")}</%block>
<%block name="bodyclass">is-signedin course view-static-pages</%block>
......@@ -24,7 +25,7 @@
function (TabsModel, TabsEditView, xmoduleLoader) {
xmoduleLoader.done(function () {
var model = new TabsModel({
id: "${context_course.location}",
id: "${context_course.location | escapejs}",
explicit_url: "${reverse('contentstore.views.tabs_handler', kwargs={'course_key_string': context_course.id})}"
});
......@@ -86,7 +87,7 @@
%>
% if isinstance(tab, StaticTab):
<li class="component ${css_class}" data-locator="${tab.locator}" data-tab-id="${tab.tab_id}"></li>
<li class="component ${css_class}" data-locator="${tab.locator | h}" data-tab-id="${tab.tab_id | h}"></li>
% else:
<li class="course-nav-item ${css_class}" data-tab-id="${tab.tab_id}">
......
cms/templates/export_git.html
......@@ -60,7 +60,7 @@
<aside class="content-supplementary" role="complimentary">
<dl class="export-git-info-block">
<dt>${_("Your course:")}</dt>
<dd class="course_text">${context_course.id}</dd>
<dd class="course_text">${context_course.id | h}</dd>
<dt>${_("Course git url:")}</dt>
<dd class="giturl_text">${context_course.giturl}</dd>
</dl>
......
cms/templates/index.html
......@@ -140,7 +140,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
%for course_info in sorted(in_process_course_actions, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''):
<!-- STATE: re-run is processing -->
%if course_info['is_in_progress']:
<li class="wrapper-course has-status" data-course-key="${course_info['course_key']}">
<li class="wrapper-course has-status" data-course-key="${course_info['course_key'] | h}">
<div class="course-item course-rerun is-processing">
<div class="course-details" href="#">
<h3 class="course-title">${course_info['display_name']}</h3>
......@@ -178,7 +178,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
<!-- STATE: re-run has error -->
%if course_info['is_failed']:
<li class="wrapper-course has-status" data-course-key="${course_info['course_key']}">
<li class="wrapper-course has-status" data-course-key="${course_info['course_key'] | h}">
<div class="course-item course-rerun has-error">
<div class="course-details" href="#">
<h3 class="course-title">${course_info['display_name']}</h3>
......@@ -229,7 +229,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
<div class="courses">
<ul class="list-courses">
%for course_info in sorted(courses, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''):
<li class="course-item" data-course-key="${course_info['course_key']}">
<li class="course-item" data-course-key="${course_info['course_key'] | h}">
<a class="course-link" href="${course_info['url']}">
<h3 class="course-title">${course_info['display_name']}</h3>
......
cms/templates/studio_xblock_wrapper.html
......@@ -13,9 +13,9 @@ label = xblock.display_name or xblock.scope_ids.block_type
% if not is_root:
% if is_reorderable:
<li class="studio-xblock-wrapper is-draggable" data-locator="${xblock.location}" data-course-key="${xblock.location.course_key}">
<li class="studio-xblock-wrapper is-draggable" data-locator="${xblock.location | h}" data-course-key="${xblock.location.course_key | h}">
% else:
<div class="studio-xblock-wrapper" data-locator="${xblock.location}" data-course-key="${xblock.location.course_key}">
<div class="studio-xblock-wrapper" data-locator="${xblock.location | h}" data-course-key="${xblock.location.course_key | h}">
% endif
<section class="wrapper-xblock ${section_class} ${collapsible_class}">
......
cms/templates/widgets/segment-io.html
<%! from django.template.defaultfilters import escapejs %>
% if context_course:
<%
locator = context_course.id
......@@ -9,7 +11,7 @@
<script type="text/javascript">
// if inside course, inject the course location into the JS namespace
%if context_course:
var course_location_analytics = "${locator}";
var course_location_analytics = "${locator | escapejs}";
%endif
var analytics=analytics||[];analytics.load=function(e){var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=("https:"===document.location.protocol?"https://":"http://")+"d2dq2ahtl5zl1z.cloudfront.net/analytics.js/v1/"+e+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(t,n);var r=function(e){return function(){analytics.push([e].concat(Array.prototype.slice.call(arguments,0)))}},i=["identify","track","trackLink","trackForm","trackClick","trackSubmit","pageview","ab","alias","ready"];for(var s=0;s<i.length;s++)analytics[i[s]]=r(i[s])};
......@@ -28,7 +30,7 @@
<!-- dummy segment.io -->
<script type="text/javascript">
%if context_course:
var course_location_analytics = "${locator}";
var course_location_analytics = "${locator | escapejs}";
%endif
var analytics = {
"track": function() {}
......
lms/templates/course.html
......@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse
from courseware.courses import course_image_url, get_course_about_section
%>
<%page args="course" />
<article id="${course.id.to_deprecated_string()}" class="course">
<article id="${course.id | h}" class="course">
%if course.is_newish:
<span class="status">${_("New")}</span>
%endif
......
lms/templates/courseware/course_about.html
......@@ -81,7 +81,7 @@
if(xhr.status == 200) {
location.href = "${reverse('dashboard')}";
} else if (xhr.status == 403) {
location.href = "${reverse('course-specific-register', args=[course.id.to_deprecated_string()])}?course_id=${course.id.to_deprecated_string()}&enrollment_action=enroll";
location.href = "${reverse('course-specific-register', args=[course.id.to_deprecated_string()])}?course_id=${course.id | u}&enrollment_action=enroll";
} else if (xhr.status == 400) { //This means the user did not have permission
$('#register_error').html("${perms_error}").css("display", "block");
} else {
......@@ -211,7 +211,7 @@
<a class="instructor-info-action" href="${studio_url}">${_("View About Page in studio")}</a>
</div>
% endif
<nav>
<a href="#" class="active">${_("Overview")}</a>
## <a href="#">${_("FAQ")}</a>
......@@ -348,7 +348,7 @@
<div style="display: none;">
<form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}">
<fieldset class="enroll_fieldset">
<input name="course_id" type="hidden" value="${course.id.to_deprecated_string()}">
<input name="course_id" type="hidden" value="${course.id | h}">
<input name="enrollment_action" type="hidden" value="enroll">
</fieldset>
<div class="submit">
......
lms/templates/courseware/courseware.html
<%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%! from microsite_configuration import page_title_breadcrumbs %>
<%inherit file="/main.html" />
<%namespace name='static' file='/static_content.html'/>
......@@ -58,7 +59,7 @@ ${page_title_breadcrumbs(course_name())}
% endif
<script type="text/javascript">
var $$course_id = "${course.id.to_deprecated_string()}";
var $$course_id = "${course.id | escapejs}";
$(function(){
$(".ui-accordion-header a, .ui-accordion-content .subtitle").each(function() {
......
lms/templates/courseware/mktg_coming_soon.html
......@@ -7,7 +7,7 @@
<%inherit file="../mktg_iframe.html" />
<%block name="pagetitle">${_("About {course_id}").format(course_id=course_id)}</%block>
<%block name="pagetitle">${_("About {course_id}").format(course_id=course_id) | h}</%block>
<%block name="bodyclass">view-iframe-content view-partial-mktgregister</%block>
......
lms/templates/courseware/mktg_course_about.html
......@@ -29,7 +29,7 @@
window.top.location.href = "${reverse('dashboard')}";
}
} else if (xhr.status == 403) {
window.top.location.href = "${reverse('register_user')}?course_id=${course.id.to_deprecated_string()}&enrollment_action=enroll";
window.top.location.href = "${reverse('register_user')}?course_id=${course.id | u}&enrollment_action=enroll";
} else {
$('#register_error').html(
(xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}")
......@@ -77,7 +77,7 @@
<div style="display: none;">
<form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}">
<fieldset class="enroll_fieldset">
<input name="course_id" type="hidden" value="${course.id.to_deprecated_string()}">
<input name="course_id" type="hidden" value="${course.id | h}">
<input name="enrollment_action" type="hidden" value="enroll">
<input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
</fieldset>
......
lms/templates/courseware/progress.html
......@@ -2,6 +2,7 @@
<%inherit file="/main.html" />
<%namespace name='static' file='/static_content.html'/>
<%block name="headextra">
<%static:css group='style-course-vendor'/>
<%static:css group='style-course'/>
......@@ -19,6 +20,7 @@
<%!
from util.date_utils import get_time_display
from django.conf import settings
from django.utils.http import urlquote_plus
%>
<%block name="js_extra">
......@@ -51,7 +53,9 @@ from django.conf import settings
%if settings.FEATURES.get("SHOW_PROGRESS_SUCCESS_BUTTON"):
<%
SUCCESS_BUTTON_URL = settings.PROGRESS_SUCCESS_BUTTON_URL.format(
course_id=course.id.to_deprecated_string(), student_id=student.id)
course_id=urlquote_plus(unicode(course.id)),
student_id=urlquote_plus(student.id)
)
nonzero_cutoffs = [cutoff for cutoff in course.grade_cutoffs.values() if cutoff > 0]
success_cutoff = min(nonzero_cutoffs) if nonzero_cutoffs else None
%>
......
lms/templates/courseware/xqa_interface.html
......@@ -5,18 +5,18 @@
<script type="text/javascript">
function setup_debug(element_id, edit_link, staff_context){
$('#' + element_id + '_trig').leanModal();
$('#' + element_id + '_xqa_log').leanModal();
$('#' + element_id + '_trig').leanModal();
$('#' + element_id + '_xqa_log').leanModal();
$('#' + element_id + '_xqa_form').submit(function () {sendlog(element_id, edit_link, staff_context);});
$("#" + element_id + "_history_trig").leanModal();
$('#' + element_id + '_history_form').submit(
function () {
var username = $("#" + element_id + "_history_student_username").val();
var location = $("#" + element_id + "_history_location").val();
$("#" + element_id + "_history_text").load('/courses/' + "${unicode(course.id)}" +
$("#" + element_id + "_history_text").load('/courses/' + "${unicode(course.id) | u}" +
"/submission_history/" + username + "/" + location);
return false;
}
......@@ -36,7 +36,7 @@ function sendlog(element_id, edit_link, staff_context){
tag:$('#' + element_id + '_xqa_tag').val(),
entry: $('#' + element_id + '_xqa_entry').val()
};
$.ajax({
url: '${xqa_server}/log',
type: 'GET',
......@@ -44,7 +44,7 @@ function sendlog(element_id, edit_link, staff_context){
data: JSON.stringify(xqaLog),
crossDomain: true,
dataType: 'jsonp',
beforeSend: function (xhr) {
beforeSend: function (xhr) {
xhr.setRequestHeader ("Authorization", "Basic eHFhOmFnYXJ3YWw="); },
timeout : 1000,
success: function(result) {
......
lms/templates/dashboard.html
......@@ -70,7 +70,7 @@
location.href = "${reverse('dashboard')}";
} else if (xhr.status == 403) {
location.href = "${reverse('signin_user')}?course_id=" +
$("#unenroll_course_id").val() + "&enrollment_action=unenroll";
encodeURIComponont($("#unenroll_course_id").val()) + "&enrollment_action=unenroll";
} else {
$('#unenroll_error').html(
xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}"
......
lms/templates/dashboard/_dashboard_refund.html
......@@ -37,7 +37,7 @@ strong {
{% csrf_token %}
{{form.as_p}}
<p>
<input type="button" value="Cancel" onclick="javascript:location=location"/> <input type="submit" value="{% if cert %}Refund{% else %}Confirm{% endif %}" />
<input type="button" value="Cancel" onclick="javascript:location=location"/> <input type="submit" value="{% if cert %}Refund{% else %}Confirm{% endif %}" />
</p>
</form>
{% if cert %}
......@@ -49,7 +49,7 @@ strong {
<strong>{% trans "Order Id:" %}</strong> {{cert.order.id}}
</p>
<p>
<strong>{% trans "Enrollment:" %}</strong> {{enrollment.course_id}} {{enrollment.mode}} ({% if enrollment.is_active %}{% trans "enrolled" %}{% else %}{% trans "unenrolled" %}{% endif %})
<strong>{% trans "Enrollment:" %}</strong> {{enrollment.course_id|escape}} {{enrollment.mode}} ({% if enrollment.is_active %}{% trans "enrolled" %}{% else %}{% trans "unenrolled" %}{% endif %})
</p>
<p>
<strong>{% trans "Cost:" %}</strong> {{cert.unit_cost}} {{cert.currency}}
......
lms/templates/discussion/index.html
......@@ -25,7 +25,7 @@
<section class="discussion container" id="discussion-container"
data-roles="${roles}"
data-course-id="${course_id}"
data-course-id="${course_id | h}"
data-user-info="${user_info}"
data-threads="${threads}"
data-thread-pages="${thread_pages}"
......
lms/templates/discussion/user_profile.html
......@@ -32,7 +32,7 @@
</nav>
</section>
<section class="course-content container discussion-user-threads" data-course-id="${course.id.to_deprecated_string() | h}" data-threads="${threads}" data-user-info="${user_info}" data-page="${page}" data-num-pages="${num_pages}"/>
<section class="course-content container discussion-user-threads" data-course-id="${course.id | h}" data-threads="${threads}" data-user-info="${user_info}" data-page="${page}" data-num-pages="${num_pages}"/>
</div>
</section>
......
lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html
......@@ -46,7 +46,7 @@
<li class="field" id="add-coupon-modal-field-course_id">
<label for="coupon_course_id">${_("Course ID")}</label>
<input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id']}"
<input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id'] | h}"
readonly aria-required="true"/>
</li>
......
lms/templates/instructor/instructor_dashboard_2/course_info.html
......@@ -30,17 +30,17 @@
<ul class="list-input">
<li class="field text is-not-editable" id="field-course-organization">
<label for="course-organization">${_("Organization:")}</label>
<b>${ section_data['course_id'].org }</b>
<b>${ section_data['course_id'].org | h}</b>
</li>
<li class="field text is-not-editable" id="field-course-number">
<label for="course-number">${_("Course Number:")}</label>
<b>${ section_data['course_id'].course }</b>
<b>${ section_data['course_id'].course | h}</b>
</li>
<li class="field text is-not-editable" id="field-course-name">
<label for="course-name">${_("Course Name:")}</label>
<b>${ section_data['course_id'].run }</b>
<b>${ section_data['course_id'].run | h}</b>
</li>
<li class="field text is-not-editable" id="field-course-display-name">
......
lms/templates/instructor/instructor_dashboard_2/metrics.html
<%! from django.utils.translation import ugettext as _ %>
<%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%page args="section_data"/>
......@@ -20,7 +21,7 @@
<h2>${_("Subsection Data")}</h2>
<p>${_("Each bar shows the number of students that opened the subsection.")}</p>
<p>${_("You can click on any of the bars to list the students that opened the subsection.")}</p>
<p>${_("You can also download this data as a CSV file.")}</p>
<p>${_("You can also download this data as a CSV file.")}</p>
<p><input type="button" id="download_subsection_data" value="${_("Download Subsection Data for all Subsections as a CSV")}" /></p>
</div>
<div class="metrics-right-header">
......@@ -69,10 +70,10 @@
$('.metrics-container').on("click", '.metrics-left .stacked-bar', function () {
var module_id = $('rect', this).attr('id');
var metrics_overlay = $(this).closest('.metrics-left').siblings('.metrics-overlay');
// Set module_id attribute on metrics_overlay
metrics_overlay.data("module-id", module_id);
var header = $(this).closest('.metrics-left').siblings('.metrics-tooltip').text();
var overlay_content = '<h3 class="metrics-overlay-title">' + header + '</h3>';
$('.metrics-overlay-content', metrics_overlay).before(overlay_content);
......@@ -86,7 +87,7 @@
success: function(response) {
overlay_content = "<tr class='header'><th>${_('Name')}</th><th>${_('Username')}</th></tr>";
$('.metrics-overlay-content thead', metrics_overlay).append(overlay_content);
$.each(response.results, function(index, value ){
overlay_content = '<tr><td>' + value['name'] + "</td><td>" + value['username'] + '</td></tr>';
$('.metrics-overlay-content tbody', metrics_overlay).append(overlay_content);
......@@ -101,19 +102,19 @@
metrics_overlay.find('.metrics-student-opened').show();
metrics_overlay.show();
});
// Click handler for right bars
$('.metrics-container').on("click", '.metrics-right .stacked-bar', function () {
var module_id = $('rect', this).attr('id');
var metrics_overlay = $(this).closest('.metrics-right').siblings('.metrics-overlay');
//Set module_id attribute on metrics_overlay
metrics_overlay.data("module-id", module_id);
var header = $(this).closest('.metrics-right').siblings('.metrics-tooltip').text();
var far_index = header.indexOf(' - ');
var title = header.substring(0, far_index);
var overlay_content = '<h3 class="metrics-overlay-title">' + title + '</h3>';
$('.metrics-overlay-content', metrics_overlay).before(overlay_content);
......@@ -141,12 +142,12 @@
metrics_overlay.find('.metrics-student-grades').show();
metrics_overlay.show();
});
loadGraphs = function() {
$('#graph_reload').hide();
$('.metrics-header-container').hide();
$('.loading').remove();
var nothingText = "${_('There are no problems in this section.')}";
var loadingText = "${_('Loading...')}";
......@@ -169,7 +170,7 @@
${all_section_metrics.body("metric_opened_", "metric_grade_", "metric_attempts_", "metric_tooltip_", course.id, allSubsectionTooltipArr, allProblemTooltipArr)}
}
// For downloading subsection and problem data as csv
download_csv_data = function(event) {
......@@ -191,25 +192,25 @@
var data = {}
data['sections'] = JSON.stringify(allSectionArr);
data['tooltips'] = JSON.stringify(allTooltipArr);
data['course_id'] = "${section_data['course_id']}";
data['course_id'] = "${section_data['course_id'] | escapejs}";
data['data_type'] = event.type;
var input_data = document.createElement("input");
input_data.name = 'data';
input_data.value = JSON.stringify(data);
var csrf_token_input = document.createElement("input");
csrf_token_input.name = 'csrfmiddlewaretoken';
csrf_token_input.value = "${ csrf_token }"
// Send data as a POST so it doesn't create a huge url
var form = document.createElement("form");
form.action = "${section_data['post_metrics_data_csv_url']}";
form.method = 'post'
form.appendChild(input_data);
form.appendChild(csrf_token_input)
document.body.appendChild(form);
form.submit();
}
......@@ -222,17 +223,17 @@
$('.metrics-header-container').show();
}
});
$('#graph_reload').click(function () {
loadGraphs();
$('#graph_reload').show();
$('.metrics-header-container').show();
});
$('#download_subsection_data').click(function() {
download_csv_data({'type': 'subsection'});
});
$('#download_problem_data').click(function() {
download_csv_data({'type': 'problem'});
});
......@@ -242,12 +243,12 @@
$('#graph_reload').hide();
$('.metrics-header-container').hide();
}
$(document).ajaxStop(function() {
$('#graph_reload').show();
$('.metrics-header-container').show();
});
});
$('.metrics-overlay .close-button').click(function(event) {
event.preventDefault();
......@@ -259,14 +260,14 @@
});
$('.metrics-overlay .download-csv').click(function(event) {
var module_id = $(this).closest('.metrics-overlay').data("module-id");
var module_id = $(this).closest('.metrics-overlay').data("module-id");
var tooltip = $(this).closest('.metrics-container').children('.metrics-tooltip').text();
var attributes = '?module_id=' + module_id + '&csv=true' + '&tooltip=' + tooltip;
var url = $(this).data("endpoint");
url += attributes;
return location.href = url;
});
</script>
......
lms/templates/main.html
......@@ -11,7 +11,7 @@
<%! from microsite_configuration import page_title_breadcrumbs %>
<%namespace name='static' file='static_content.html'/>
<%! from django.utils import html %>
<%! from django.utils.http import urlquote_plus %>
## Define a couple of helper functions to make life easier when
## embedding theme conditionals into templates. All inheriting
......@@ -148,7 +148,7 @@
<%def name="login_query()">${
u"?course_id={0}&enrollment_action={1}".format(
html.escape(course_id),
html.escape(enrollment_action)
urlquote_plus(course_id),
urlquote_plus(enrollment_action)
) if course_id and enrollment_action else ""
}</%def>
lms/templates/peer_grading/peer_grading.html
......@@ -41,7 +41,7 @@ criteria.{end_li_tag}
%if problem['closed']:
${problem['problem_name']}
%else:
<a href="#problem" data-location="${problem['location'].to_deprecated_string()}" class="problem-button">${problem['problem_name']}</a>
<a href="#problem" data-location="${problem['location'] | h}" class="problem-button">${problem['problem_name']}</a>
%endif
</td>
<td>
......
lms/templates/peer_grading/peer_grading_problem.html
<%! from django.utils.translation import ugettext as _ %>
<section class="container peer-grading-container">
<div class="peer-grading" data-ajax-url="${ajax_url}" data-location="${problem_location.to_deprecated_string()}" data-use-single-location="${use_single_location}">
<div class="peer-grading" data-ajax-url="${ajax_url}" data-location="${problem_location | h}" data-use-single-location="${use_single_location}">
<div class="error-container"></div>
<section class="content-panel">
......@@ -48,7 +48,7 @@
<textarea name="feedback" placeholder="Feedback for student" class="feedback-area" cols="70" ></textarea>
<div class="flag-student-container">
<br />
<input type="checkbox" class="flag-checkbox" value="student_is_flagged">
<input type="checkbox" class="flag-checkbox" value="student_is_flagged">
${_("This submission has explicit, offensive, or (I suspect) plagiarized content. ")}
</div>
</div>
......
lms/templates/shoppingcart/receipt.html
......@@ -52,7 +52,7 @@
% if item.status == "purchased":
<td>${item.qty}</td>
<td>${item.line_desc}</td>
<td><a href="${course_id}" class="enter-course">${_('View Course')}</a></td>
<td><a href="${course_id | h}" class="enter-course">${_('View Course')}</a></td>
<td>${"{0:0.2f}".format(item.unit_cost)}
% if item.list_price != None:
<span class="old-price"> ${"{0:0.2f}".format(item.list_price)}</span>
......
lms/templates/staff_problem_info.html
<%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%namespace name='static' file='/static_content.html'/>
## The JS for this is defined in xqa_interface.html
......@@ -9,10 +10,10 @@ ${block_content}
<a href="${edit_link}">Edit</a>
% if xqa_key:
/ <a href="#${element_id}_xqa-modal" onclick="javascript:getlog('${element_id}', {
'location': '${location}',
'xqa_key': '${xqa_key}',
'category': '${category}',
'user': '${user}'
'location': '${location | h}',
'xqa_key': '${xqa_key | h}',
'category': '${category | h}',
'user': '${user | h}'
})" id="${element_id}_xqa_log">QA</a>
% endif
</div>
......@@ -58,10 +59,10 @@ ${block_content}
<div class="staff_actions">
<h3>${_('Actions')}</h3>
<div>
<label for="sd_fu_${location.name}">${_('Username')}:</label>
<input type="text" id="sd_fu_${location.name}" placeholder="${user.username}"/>
<label for="sd_fu_${location.name | h}">${_('Username')}:</label>
<input type="text" id="sd_fu_${location.name | h}" placeholder="${user.username}"/>
</div>
<div data-location="${location.to_deprecated_string()}" data-location-name="${location.name}">
<div data-location="${location | h}" data-location-name="${location.name | h}">
[
<a href="#" class="staff-debug-reset">${_('Reset Student Attempts')}</a>
% if has_instructor_access:
......@@ -72,7 +73,7 @@ ${block_content}
% endif
]
</div>
<div id="result_${location.name}"/>
<div id="result_${location.name | h}"/>
</div>
<div class="staff_info" style="display:block">
......@@ -106,7 +107,7 @@ category = ${category | h}
<form id="${element_id}_history_form">
<label for="${element_id}_history_student_username">${_("User:")}</label>
<input id="${element_id}_history_student_username" type="text" placeholder=""/>
<input type="hidden" id="${element_id}_history_location" value="${location.to_deprecated_string()}"/>
<input type="hidden" id="${element_id}_history_location" value="${location | h}"/>
<div class="submit">
<button name="submit" type="submit">${_("View History")}</button>
</div>
......@@ -129,7 +130,7 @@ $(function () {
null,
%endif
{
'location': '${location.to_deprecated_string()}',
'location': '${location | escapejs}',
'xqa_key': '${xqa_key}',
'category': '${category}',
'user': '${user}'
......
lms/templates/sysadmin_dashboard_gitlogs.html
......@@ -75,7 +75,7 @@ textarea {
%if course_id is not None:
## Translators: Git is a version-control system; see http://git-scm.com/about
<h2>${_('Recent git load activity for {course_id}').format(course_id=course_id)}</h2>
<h2>${_('Recent git load activity for {course_id}').format(course_id=course_id) | h}</h2>
%if error_msg:
<h3>${_('Error')}:</h3>
<p>${error_msg}</p>
......@@ -100,15 +100,13 @@ textarea {
%>
% for cil in logs:
<%
course_id_string = cil.course_id.to_deprecated_string() if cil.course_id else None
# Appropriate datetime string for current locale and timezone
date = get_time_display(cil.created.replace(tzinfo=UTC),
DEFAULT_DATE_TIME_FORMAT, coerce_tz=settings.TIME_ZONE)
%>
<tr>
<td>${date}</td>
<td><a href="${reverse('gitlogs')}/${course_id_string}">${course_id_string}</a></td>
<td><a href="${reverse('gitlogs_detail', kwargs={'course_id': unicode(cil.course_id)})}">${cil.course_id | h}</a></td>
<td>${cil.git_log}</td>
</tr>
%endfor
......
lms/templates/verify_student/midcourse_photo_reverification.html
......@@ -174,7 +174,7 @@
<li class="wizard-step step-proceed">
<form id="reverify_form" method="post">
<input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
<input type="hidden" name="course_id" value="${course_id}">
<input type="hidden" name="course_id" value="${course_id | h}">
<input class="action-primary disabled" type="button" id="midcourse_reverify_button" value="${_('Submit photos &amp; re-verify')}" name="payment">
</form>
</li>
......
lms/templates/verify_student/verified.html
<%! from django.utils.translation import ugettext as _ %>
<%! from django.core.urlresolvers import reverse %>
<%! from django.template.defaultfilters import escapejs %>
<%inherit file="../main.html" />
<%namespace name='static' file='/static_content.html'/>
......@@ -14,7 +15,7 @@ var submitToPaymentProcessing = function(event) {
var xhr = $.post(
"${create_order_url}",
{
"course_id" : "${course_id}",
"course_id" : "${course_id | escapejs}",
},
function(data) {
for (prop in data) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment