Skip to content

E
edx-platform
Commit 77a04daa by Calen Pennington
Options

Properly escape CourseKeys and UsageKeys in html templates 

[LMS-11372]
[LMS-11370]
parent c5ae921d
Showing with 74 additions and 62 deletions
cms/templates/base.html
## -*- coding: utf-8 -*- ## -*- coding: utf-8 -*-
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<!doctype html> <!doctype html>
...@@ -14,7 +15,7 @@ ...@@ -14,7 +15,7 @@
<%block name="title"></%block> | <%block name="title"></%block> |
% if context_course: % if context_course:
<% ctx_loc = context_course.location %> <% ctx_loc = context_course.location %>
${context_course.display_name_with_default} | ${context_course.display_name_with_default | h} |
% endif % endif
edX Studio edX Studio
</title> </title>
...@@ -329,7 +330,7 @@ ...@@ -329,7 +330,7 @@
<script type="text/javascript"> <script type="text/javascript">
require(['js/models/course'], function(Course) { require(['js/models/course'], function(Course) {
window.course = new Course({ window.course = new Course({
id: "${context_course.id}", id: "${context_course.id | escapejs}",
name: "${context_course.display_name_with_default | h}", name: "${context_course.display_name_with_default | h}",
url_name: "${context_course.location.name | h}", url_name: "${context_course.location.name | h}",
org: "${context_course.location.org | h}", org: "${context_course.location.org | h}",
......
cms/templates/container.html
...@@ -115,7 +115,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal", ...@@ -115,7 +115,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal",
<article class="content-primary"> <article class="content-primary">
<div class="container-message wrapper-message"></div> <div class="container-message wrapper-message"></div>
<section class="wrapper-xblock level-page is-hidden studio-xblock-wrapper" data-locator="${xblock_locator}" data-course-key="${xblock_locator.course_key}"> <section class="wrapper-xblock level-page is-hidden studio-xblock-wrapper" data-locator="${xblock_locator | h}" data-course-key="${xblock_locator.course_key | h}">
</section> </section>
<div class="ui-loading"> <div class="ui-loading">
<p><span class="spin"><i class="icon-refresh"></i></span> <span class="copy">${_("Loading...")}</span></p> <p><span class="spin"><i class="icon-refresh"></i></span> <span class="copy">${_("Loading...")}</span></p>
...@@ -138,7 +138,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal", ...@@ -138,7 +138,7 @@ templates = ["basic-modal", "modal-button", "edit-xblock-modal",
<div class="wrapper-unit-id bar-mod-content"> <div class="wrapper-unit-id bar-mod-content">
<h5 class="title">${_("Location ID")}</h5> <h5 class="title">${_("Location ID")}</h5>
<p class="unit-id"> <p class="unit-id">
<span class="unit-id-value" id="unit-location-id-input">${unit.location.name}</span> <span class="unit-id-value" id="unit-location-id-input">${unit.location.name | h}</span>
<span class="tip"><span class="sr">Tip: </span>${_("Use this ID when you create links to this unit from other course content. You enter the ID in the URL field.")}</span> <span class="tip"><span class="sr">Tip: </span>${_("Use this ID when you create links to this unit from other course content. You enter the ID in the URL field.")}</span>
</p> </p>
</div> </div>
......
cms/templates/course-create-rerun.html
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
<%def name="online_help_token()"><% return "course_rerun" %></%def> <%def name="online_help_token()"><% return "course_rerun" %></%def>
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<%! from django.core.urlresolvers import reverse %> <%! from django.core.urlresolvers import reverse %>
<%! from django.template.defaultfilters import escapejs %>
<%block name="title">${_("Create a Course Rerun of:")}</%block> <%block name="title">${_("Create a Course Rerun of:")}</%block>
<%block name="bodyclass">is-signedin view-course-create view-course-create-rerun</%block> <%block name="bodyclass">is-signedin view-course-create view-course-create-rerun</%block>
...@@ -13,7 +14,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio ...@@ -13,7 +14,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
}); });
</script> </script>
<script type="text/javascript"> <script type="text/javascript">
var source_course_key = "${source_course_key}" var source_course_key = "${source_course_key | escapejs}"
</script> </script>
</%block> </%block>
...@@ -37,7 +38,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio ...@@ -37,7 +38,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
<h2 class="page-header-super course-original"> <h2 class="page-header-super course-original">
<span class="sr">${_("You are creating a re-run from:")}</span> <span class="sr">${_("You are creating a re-run from:")}</span>
<span class="course-original-title-id">${source_course_key.org} ${source_course_key.course} ${source_course_key.run}</span> <span class="course-original-title-id">${source_course_key.org | h} ${source_course_key.course | h} ${source_course_key.run | h}</span>
<span class="course-original-title">${display_name}</span> <span class="course-original-title">${display_name}</span>
</h2> </h2>
</header> </header>
...@@ -79,7 +80,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio ...@@ -79,7 +80,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
</li> </li>
<li class="field text required" id="field-organization"> <li class="field text required" id="field-organization">
<label for="rerun-course-org">${_("Organization")}</label> <label for="rerun-course-org">${_("Organization")}</label>
<input class="rerun-course-org" id="rerun-course-org" type="text" name="rerun-course-org" aria-required="true" value="${source_course_key.org}" placeholder="${_('e.g. UniversityX or OrganizationX')}" /> <input class="rerun-course-org" id="rerun-course-org" type="text" name="rerun-course-org" aria-required="true" value="${source_course_key.org | h}" placeholder="${_('e.g. UniversityX or OrganizationX')}" />
<span class="tip"> <span class="tip">
${_("The name of the organization sponsoring the new course. (This name is often the same as the original organization name.)")} ${_("The name of the organization sponsoring the new course. (This name is often the same as the original organization name.)")}
<strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong> <strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong>
...@@ -90,7 +91,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio ...@@ -90,7 +91,7 @@ require(["domReady!", "jquery", "jquery.form", "js/views/course_rerun"], functio
<li class="row"> <li class="row">
<div class="column field text required" id="field-course-number"> <div class="column field text required" id="field-course-number">
<label for="rerun-course-number">${_("Course Number")}</label> <label for="rerun-course-number">${_("Course Number")}</label>
<input class="rerun-course-number" id="rerun-course-number" type="text" name="rerun-course-number" aria-required="true" value="${source_course_key.course}" placeholder="${_('e.g. CS101')}" /> <input class="rerun-course-number" id="rerun-course-number" type="text" name="rerun-course-number" aria-required="true" value="${source_course_key.course | h}" placeholder="${_('e.g. CS101')}" />
<span class="tip"> <span class="tip">
${_("The unique number that identifies the new course within the organization. (This number is often the same as the original course number.)")} ${_("The unique number that identifies the new course within the organization. (This number is often the same as the original course number.)")}
<strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong> <strong class="tip-note" class="tip-note">${_("Note: No spaces or special characters are allowed.")}</strong>
......
cms/templates/course_info.html
<%! <%!
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from django.template.defaultfilters import escapejs
%> %>
<%inherit file="base.html" /> <%inherit file="base.html" />
<%def name="online_help_token()"><% return "updates" %></%def> <%def name="online_help_token()"><% return "updates" %></%def>
...@@ -28,7 +29,7 @@ require(["domReady!", "jquery", "js/collections/course_update", "js/models/modul ...@@ -28,7 +29,7 @@ require(["domReady!", "jquery", "js/collections/course_update", "js/models/modul
course_updates.fetch({reset: true}); course_updates.fetch({reset: true});
var course_handouts = new ModuleInfoModel({ var course_handouts = new ModuleInfoModel({
id: '${handouts_locator}' id: '${handouts_locator | escapejs}'
}); });
var editor = new CourseInfoEditView({ var editor = new CourseInfoEditView({
......
cms/templates/course_outline.html
...@@ -73,7 +73,7 @@ from contentstore.utils import reverse_usage_url ...@@ -73,7 +73,7 @@ from contentstore.utils import reverse_usage_url
<h3 class="sr">${_("Page Actions")}</h3> <h3 class="sr">${_("Page Actions")}</h3>
<ul> <ul>
<li class="nav-item"> <li class="nav-item">
<a href="#" class="button button-new" data-category="chapter" data-parent="${context_course.location}" data-default-name="${_('Section')}" title="${_('Click to add a new section')}"> <a href="#" class="button button-new" data-category="chapter" data-parent="${context_course.location | h}" data-default-name="${_('Section')}" title="${_('Click to add a new section')}">
<i class="icon-plus"></i>${_('New Section')} <i class="icon-plus"></i>${_('New Section')}
</a> </a>
</li> </li>
...@@ -116,7 +116,7 @@ from contentstore.utils import reverse_usage_url ...@@ -116,7 +116,7 @@ from contentstore.utils import reverse_usage_url
course_locator = context_course.location course_locator = context_course.location
%> %>
<h2 class="sr">${_("Course Outline")}</h2> <h2 class="sr">${_("Course Outline")}</h2>
<article class="outline outline-complex outline-course" data-locator="${course_locator}" data-course-key="${course_locator.course_key}"> <article class="outline outline-complex outline-course" data-locator="${course_locator | h}" data-course-key="${course_locator.course_key | h}">
</article> </article>
</div> </div>
<div class="ui-loading"> <div class="ui-loading">
......
cms/templates/edit-tabs.html
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from xmodule.tabs import StaticTab from xmodule.tabs import StaticTab
from django.template.defaultfilters import escapejs
%> %>
<%block name="title">${_("Pages")}</%block> <%block name="title">${_("Pages")}</%block>
<%block name="bodyclass">is-signedin course view-static-pages</%block> <%block name="bodyclass">is-signedin course view-static-pages</%block>
...@@ -24,7 +25,7 @@ ...@@ -24,7 +25,7 @@
function (TabsModel, TabsEditView, xmoduleLoader) { function (TabsModel, TabsEditView, xmoduleLoader) {
xmoduleLoader.done(function () { xmoduleLoader.done(function () {
var model = new TabsModel({ var model = new TabsModel({
id: "${context_course.location}", id: "${context_course.location | escapejs}",
explicit_url: "${reverse('contentstore.views.tabs_handler', kwargs={'course_key_string': context_course.id})}" explicit_url: "${reverse('contentstore.views.tabs_handler', kwargs={'course_key_string': context_course.id})}"
}); });
...@@ -86,7 +87,7 @@ ...@@ -86,7 +87,7 @@
%> %>
% if isinstance(tab, StaticTab): % if isinstance(tab, StaticTab):
<li class="component ${css_class}" data-locator="${tab.locator}" data-tab-id="${tab.tab_id}"></li> <li class="component ${css_class}" data-locator="${tab.locator | h}" data-tab-id="${tab.tab_id | h}"></li>
% else: % else:
<li class="course-nav-item ${css_class}" data-tab-id="${tab.tab_id}"> <li class="course-nav-item ${css_class}" data-tab-id="${tab.tab_id}">
......
cms/templates/export_git.html
...@@ -60,7 +60,7 @@ ...@@ -60,7 +60,7 @@
<aside class="content-supplementary" role="complimentary"> <aside class="content-supplementary" role="complimentary">
<dl class="export-git-info-block"> <dl class="export-git-info-block">
<dt>${_("Your course:")}</dt> <dt>${_("Your course:")}</dt>
<dd class="course_text">${context_course.id}</dd> <dd class="course_text">${context_course.id | h}</dd>
<dt>${_("Course git url:")}</dt> <dt>${_("Course git url:")}</dt>
<dd class="giturl_text">${context_course.giturl}</dd> <dd class="giturl_text">${context_course.giturl}</dd>
</dl> </dl>
......
cms/templates/index.html
...@@ -140,7 +140,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) { ...@@ -140,7 +140,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
%for course_info in sorted(in_process_course_actions, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''): %for course_info in sorted(in_process_course_actions, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''):
<!-- STATE: re-run is processing --> <!-- STATE: re-run is processing -->
%if course_info['is_in_progress']: %if course_info['is_in_progress']:
<li class="wrapper-course has-status" data-course-key="${course_info['course_key']}"> <li class="wrapper-course has-status" data-course-key="${course_info['course_key'] | h}">
<div class="course-item course-rerun is-processing"> <div class="course-item course-rerun is-processing">
<div class="course-details" href="#"> <div class="course-details" href="#">
<h3 class="course-title">${course_info['display_name']}</h3> <h3 class="course-title">${course_info['display_name']}</h3>
...@@ -178,7 +178,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) { ...@@ -178,7 +178,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
<!-- STATE: re-run has error --> <!-- STATE: re-run has error -->
%if course_info['is_failed']: %if course_info['is_failed']:
<li class="wrapper-course has-status" data-course-key="${course_info['course_key']}"> <li class="wrapper-course has-status" data-course-key="${course_info['course_key'] | h}">
<div class="course-item course-rerun has-error"> <div class="course-item course-rerun has-error">
<div class="course-details" href="#"> <div class="course-details" href="#">
<h3 class="course-title">${course_info['display_name']}</h3> <h3 class="course-title">${course_info['display_name']}</h3>
...@@ -229,7 +229,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) { ...@@ -229,7 +229,7 @@ require(["domReady!", "jquery", "jquery.form", "js/index"], function(doc, $) {
<div class="courses"> <div class="courses">
<ul class="list-courses"> <ul class="list-courses">
%for course_info in sorted(courses, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''): %for course_info in sorted(courses, key=lambda s: s['display_name'].lower() if s['display_name'] is not None else ''):
<li class="course-item" data-course-key="${course_info['course_key']}"> <li class="course-item" data-course-key="${course_info['course_key'] | h}">
<a class="course-link" href="${course_info['url']}"> <a class="course-link" href="${course_info['url']}">
<h3 class="course-title">${course_info['display_name']}</h3> <h3 class="course-title">${course_info['display_name']}</h3>
......
cms/templates/studio_xblock_wrapper.html
...@@ -13,9 +13,9 @@ label = xblock.display_name or xblock.scope_ids.block_type ...@@ -13,9 +13,9 @@ label = xblock.display_name or xblock.scope_ids.block_type
% if not is_root: % if not is_root:
% if is_reorderable: % if is_reorderable:
<li class="studio-xblock-wrapper is-draggable" data-locator="${xblock.location}" data-course-key="${xblock.location.course_key}"> <li class="studio-xblock-wrapper is-draggable" data-locator="${xblock.location | h}" data-course-key="${xblock.location.course_key | h}">
% else: % else:
<div class="studio-xblock-wrapper" data-locator="${xblock.location}" data-course-key="${xblock.location.course_key}"> <div class="studio-xblock-wrapper" data-locator="${xblock.location | h}" data-course-key="${xblock.location.course_key | h}">
% endif % endif
<section class="wrapper-xblock ${section_class} ${collapsible_class}"> <section class="wrapper-xblock ${section_class} ${collapsible_class}">
......
cms/templates/widgets/segment-io.html
<%! from django.template.defaultfilters import escapejs %>
% if context_course: % if context_course:
<% <%
locator = context_course.id locator = context_course.id
...@@ -9,7 +11,7 @@ ...@@ -9,7 +11,7 @@
<script type="text/javascript"> <script type="text/javascript">
// if inside course, inject the course location into the JS namespace // if inside course, inject the course location into the JS namespace
%if context_course: %if context_course:
var course_location_analytics = "${locator}"; var course_location_analytics = "${locator | escapejs}";
%endif %endif
var analytics=analytics||[];analytics.load=function(e){var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=("https:"===document.location.protocol?"https://":"http://")+"d2dq2ahtl5zl1z.cloudfront.net/analytics.js/v1/"+e+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(t,n);var r=function(e){return function(){analytics.push([e].concat(Array.prototype.slice.call(arguments,0)))}},i=["identify","track","trackLink","trackForm","trackClick","trackSubmit","pageview","ab","alias","ready"];for(var s=0;s<i.length;s++)analytics[i[s]]=r(i[s])}; var analytics=analytics||[];analytics.load=function(e){var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=("https:"===document.location.protocol?"https://":"http://")+"d2dq2ahtl5zl1z.cloudfront.net/analytics.js/v1/"+e+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(t,n);var r=function(e){return function(){analytics.push([e].concat(Array.prototype.slice.call(arguments,0)))}},i=["identify","track","trackLink","trackForm","trackClick","trackSubmit","pageview","ab","alias","ready"];for(var s=0;s<i.length;s++)analytics[i[s]]=r(i[s])};
...@@ -28,7 +30,7 @@ ...@@ -28,7 +30,7 @@
<!-- dummy segment.io --> <!-- dummy segment.io -->
<script type="text/javascript"> <script type="text/javascript">
%if context_course: %if context_course:
var course_location_analytics = "${locator}"; var course_location_analytics = "${locator | escapejs}";
%endif %endif
var analytics = { var analytics = {
"track": function() {} "track": function() {}
......
lms/templates/course.html
...@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse ...@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse
from courseware.courses import course_image_url, get_course_about_section from courseware.courses import course_image_url, get_course_about_section
%> %>
<%page args="course" /> <%page args="course" />
<article id="${course.id.to_deprecated_string()}" class="course"> <article id="${course.id | h}" class="course">
%if course.is_newish: %if course.is_newish:
<span class="status">${_("New")}</span> <span class="status">${_("New")}</span>
%endif %endif
......
lms/templates/courseware/course_about.html
...@@ -81,7 +81,7 @@ ...@@ -81,7 +81,7 @@
if(xhr.status == 200) { if(xhr.status == 200) {
location.href = "${reverse('dashboard')}"; location.href = "${reverse('dashboard')}";
} else if (xhr.status == 403) { } else if (xhr.status == 403) {
location.href = "${reverse('course-specific-register', args=[course.id.to_deprecated_string()])}?course_id=${course.id.to_deprecated_string()}&enrollment_action=enroll"; location.href = "${reverse('course-specific-register', args=[course.id.to_deprecated_string()])}?course_id=${course.id | u}&enrollment_action=enroll";
} else if (xhr.status == 400) { //This means the user did not have permission } else if (xhr.status == 400) { //This means the user did not have permission
$('#register_error').html("${perms_error}").css("display", "block"); $('#register_error').html("${perms_error}").css("display", "block");
} else { } else {
...@@ -348,7 +348,7 @@ ...@@ -348,7 +348,7 @@
<div style="display: none;"> <div style="display: none;">
<form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}"> <form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}">
<fieldset class="enroll_fieldset"> <fieldset class="enroll_fieldset">
<input name="course_id" type="hidden" value="${course.id.to_deprecated_string()}"> <input name="course_id" type="hidden" value="${course.id | h}">
<input name="enrollment_action" type="hidden" value="enroll"> <input name="enrollment_action" type="hidden" value="enroll">
</fieldset> </fieldset>
<div class="submit"> <div class="submit">
......
lms/templates/courseware/courseware.html
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%! from microsite_configuration import page_title_breadcrumbs %> <%! from microsite_configuration import page_title_breadcrumbs %>
<%inherit file="/main.html" /> <%inherit file="/main.html" />
<%namespace name='static' file='/static_content.html'/> <%namespace name='static' file='/static_content.html'/>
...@@ -58,7 +59,7 @@ ${page_title_breadcrumbs(course_name())} ...@@ -58,7 +59,7 @@ ${page_title_breadcrumbs(course_name())}
% endif % endif
<script type="text/javascript"> <script type="text/javascript">
var $$course_id = "${course.id.to_deprecated_string()}"; var $$course_id = "${course.id | escapejs}";
$(function(){ $(function(){
$(".ui-accordion-header a, .ui-accordion-content .subtitle").each(function() { $(".ui-accordion-header a, .ui-accordion-content .subtitle").each(function() {
......
lms/templates/courseware/mktg_coming_soon.html
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
<%inherit file="../mktg_iframe.html" /> <%inherit file="../mktg_iframe.html" />
<%block name="pagetitle">${_("About {course_id}").format(course_id=course_id)}</%block> <%block name="pagetitle">${_("About {course_id}").format(course_id=course_id) | h}</%block>
<%block name="bodyclass">view-iframe-content view-partial-mktgregister</%block> <%block name="bodyclass">view-iframe-content view-partial-mktgregister</%block>
......
lms/templates/courseware/mktg_course_about.html
...@@ -29,7 +29,7 @@ ...@@ -29,7 +29,7 @@
window.top.location.href = "${reverse('dashboard')}"; window.top.location.href = "${reverse('dashboard')}";
} }
} else if (xhr.status == 403) { } else if (xhr.status == 403) {
window.top.location.href = "${reverse('register_user')}?course_id=${course.id.to_deprecated_string()}&enrollment_action=enroll"; window.top.location.href = "${reverse('register_user')}?course_id=${course.id | u}&enrollment_action=enroll";
} else { } else {
$('#register_error').html( $('#register_error').html(
(xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}") (xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}")
...@@ -77,7 +77,7 @@ ...@@ -77,7 +77,7 @@
<div style="display: none;"> <div style="display: none;">
<form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}"> <form id="class_enroll_form" method="post" data-remote="true" action="${reverse('change_enrollment')}">
<fieldset class="enroll_fieldset"> <fieldset class="enroll_fieldset">
<input name="course_id" type="hidden" value="${course.id.to_deprecated_string()}"> <input name="course_id" type="hidden" value="${course.id | h}">
<input name="enrollment_action" type="hidden" value="enroll"> <input name="enrollment_action" type="hidden" value="enroll">
<input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }"> <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
</fieldset> </fieldset>
......
lms/templates/courseware/progress.html
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
<%inherit file="/main.html" /> <%inherit file="/main.html" />
<%namespace name='static' file='/static_content.html'/> <%namespace name='static' file='/static_content.html'/>
<%block name="headextra"> <%block name="headextra">
<%static:css group='style-course-vendor'/> <%static:css group='style-course-vendor'/>
<%static:css group='style-course'/> <%static:css group='style-course'/>
...@@ -19,6 +20,7 @@ ...@@ -19,6 +20,7 @@
<%! <%!
from util.date_utils import get_time_display from util.date_utils import get_time_display
from django.conf import settings from django.conf import settings
from django.utils.http import urlquote_plus
%> %>
<%block name="js_extra"> <%block name="js_extra">
...@@ -51,7 +53,9 @@ from django.conf import settings ...@@ -51,7 +53,9 @@ from django.conf import settings
%if settings.FEATURES.get("SHOW_PROGRESS_SUCCESS_BUTTON"): %if settings.FEATURES.get("SHOW_PROGRESS_SUCCESS_BUTTON"):
<% <%
SUCCESS_BUTTON_URL = settings.PROGRESS_SUCCESS_BUTTON_URL.format( SUCCESS_BUTTON_URL = settings.PROGRESS_SUCCESS_BUTTON_URL.format(
course_id=course.id.to_deprecated_string(), student_id=student.id) course_id=urlquote_plus(unicode(course.id)),
student_id=urlquote_plus(student.id)
)
nonzero_cutoffs = [cutoff for cutoff in course.grade_cutoffs.values() if cutoff > 0] nonzero_cutoffs = [cutoff for cutoff in course.grade_cutoffs.values() if cutoff > 0]
success_cutoff = min(nonzero_cutoffs) if nonzero_cutoffs else None success_cutoff = min(nonzero_cutoffs) if nonzero_cutoffs else None
%> %>
......
lms/templates/courseware/xqa_interface.html
...@@ -16,7 +16,7 @@ function setup_debug(element_id, edit_link, staff_context){ ...@@ -16,7 +16,7 @@ function setup_debug(element_id, edit_link, staff_context){
var username = $("#" + element_id + "_history_student_username").val(); var username = $("#" + element_id + "_history_student_username").val();
var location = $("#" + element_id + "_history_location").val(); var location = $("#" + element_id + "_history_location").val();
$("#" + element_id + "_history_text").load('/courses/' + "${unicode(course.id)}" + $("#" + element_id + "_history_text").load('/courses/' + "${unicode(course.id) | u}" +
"/submission_history/" + username + "/" + location); "/submission_history/" + username + "/" + location);
return false; return false;
} }
......
lms/templates/dashboard.html
...@@ -70,7 +70,7 @@ ...@@ -70,7 +70,7 @@
location.href = "${reverse('dashboard')}"; location.href = "${reverse('dashboard')}";
} else if (xhr.status == 403) { } else if (xhr.status == 403) {
location.href = "${reverse('signin_user')}?course_id=" + location.href = "${reverse('signin_user')}?course_id=" +
$("#unenroll_course_id").val() + "&enrollment_action=unenroll"; encodeURIComponont($("#unenroll_course_id").val()) + "&enrollment_action=unenroll";
} else { } else {
$('#unenroll_error').html( $('#unenroll_error').html(
xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}" xhr.responseText ? xhr.responseText : "${_("An error occurred. Please try again later.")}"
......
lms/templates/dashboard/_dashboard_refund.html
...@@ -49,7 +49,7 @@ strong { ...@@ -49,7 +49,7 @@ strong {
<strong>{% trans "Order Id:" %}</strong> {{cert.order.id}} <strong>{% trans "Order Id:" %}</strong> {{cert.order.id}}
</p> </p>
<p> <p>
<strong>{% trans "Enrollment:" %}</strong> {{enrollment.course_id}} {{enrollment.mode}} ({% if enrollment.is_active %}{% trans "enrolled" %}{% else %}{% trans "unenrolled" %}{% endif %}) <strong>{% trans "Enrollment:" %}</strong> {{enrollment.course_id|escape}} {{enrollment.mode}} ({% if enrollment.is_active %}{% trans "enrolled" %}{% else %}{% trans "unenrolled" %}{% endif %})
</p> </p>
<p> <p>
<strong>{% trans "Cost:" %}</strong> {{cert.unit_cost}} {{cert.currency}} <strong>{% trans "Cost:" %}</strong> {{cert.unit_cost}} {{cert.currency}}
......
lms/templates/discussion/index.html
...@@ -25,7 +25,7 @@ ...@@ -25,7 +25,7 @@
<section class="discussion container" id="discussion-container" <section class="discussion container" id="discussion-container"
data-roles="${roles}" data-roles="${roles}"
data-course-id="${course_id}" data-course-id="${course_id | h}"
data-user-info="${user_info}" data-user-info="${user_info}"
data-threads="${threads}" data-threads="${threads}"
data-thread-pages="${thread_pages}" data-thread-pages="${thread_pages}"
......
lms/templates/discussion/user_profile.html
...@@ -32,7 +32,7 @@ ...@@ -32,7 +32,7 @@
</nav> </nav>
</section> </section>
<section class="course-content container discussion-user-threads" data-course-id="${course.id.to_deprecated_string() | h}" data-threads="${threads}" data-user-info="${user_info}" data-page="${page}" data-num-pages="${num_pages}"/> <section class="course-content container discussion-user-threads" data-course-id="${course.id | h}" data-threads="${threads}" data-user-info="${user_info}" data-page="${page}" data-num-pages="${num_pages}"/>
</div> </div>
</section> </section>
......
lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html
...@@ -46,7 +46,7 @@ ...@@ -46,7 +46,7 @@
<li class="field" id="add-coupon-modal-field-course_id"> <li class="field" id="add-coupon-modal-field-course_id">
<label for="coupon_course_id">${_("Course ID")}</label> <label for="coupon_course_id">${_("Course ID")}</label>
<input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id']}" <input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id'] | h}"
readonly aria-required="true"/> readonly aria-required="true"/>
</li> </li>
......
lms/templates/instructor/instructor_dashboard_2/course_info.html
...@@ -30,17 +30,17 @@ ...@@ -30,17 +30,17 @@
<ul class="list-input"> <ul class="list-input">
<li class="field text is-not-editable" id="field-course-organization"> <li class="field text is-not-editable" id="field-course-organization">
<label for="course-organization">${_("Organization:")}</label> <label for="course-organization">${_("Organization:")}</label>
<b>${ section_data['course_id'].org }</b> <b>${ section_data['course_id'].org | h}</b>
</li> </li>
<li class="field text is-not-editable" id="field-course-number"> <li class="field text is-not-editable" id="field-course-number">
<label for="course-number">${_("Course Number:")}</label> <label for="course-number">${_("Course Number:")}</label>
<b>${ section_data['course_id'].course }</b> <b>${ section_data['course_id'].course | h}</b>
</li> </li>
<li class="field text is-not-editable" id="field-course-name"> <li class="field text is-not-editable" id="field-course-name">
<label for="course-name">${_("Course Name:")}</label> <label for="course-name">${_("Course Name:")}</label>
<b>${ section_data['course_id'].run }</b> <b>${ section_data['course_id'].run | h}</b>
</li> </li>
<li class="field text is-not-editable" id="field-course-display-name"> <li class="field text is-not-editable" id="field-course-display-name">
......
lms/templates/instructor/instructor_dashboard_2/metrics.html
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%page args="section_data"/> <%page args="section_data"/>
...@@ -191,7 +192,7 @@ ...@@ -191,7 +192,7 @@
var data = {} var data = {}
data['sections'] = JSON.stringify(allSectionArr); data['sections'] = JSON.stringify(allSectionArr);
data['tooltips'] = JSON.stringify(allTooltipArr); data['tooltips'] = JSON.stringify(allTooltipArr);
data['course_id'] = "${section_data['course_id']}"; data['course_id'] = "${section_data['course_id'] | escapejs}";
data['data_type'] = event.type; data['data_type'] = event.type;
var input_data = document.createElement("input"); var input_data = document.createElement("input");
......
lms/templates/main.html
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
<%! from microsite_configuration import page_title_breadcrumbs %> <%! from microsite_configuration import page_title_breadcrumbs %>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<%! from django.utils import html %> <%! from django.utils.http import urlquote_plus %>
## Define a couple of helper functions to make life easier when ## Define a couple of helper functions to make life easier when
## embedding theme conditionals into templates. All inheriting ## embedding theme conditionals into templates. All inheriting
...@@ -148,7 +148,7 @@ ...@@ -148,7 +148,7 @@
<%def name="login_query()">${ <%def name="login_query()">${
u"?course_id={0}&enrollment_action={1}".format( u"?course_id={0}&enrollment_action={1}".format(
html.escape(course_id), urlquote_plus(course_id),
html.escape(enrollment_action) urlquote_plus(enrollment_action)
) if course_id and enrollment_action else "" ) if course_id and enrollment_action else ""
}</%def> }</%def>
lms/templates/peer_grading/peer_grading.html
...@@ -41,7 +41,7 @@ criteria.{end_li_tag} ...@@ -41,7 +41,7 @@ criteria.{end_li_tag}
%if problem['closed']: %if problem['closed']:
${problem['problem_name']} ${problem['problem_name']}
%else: %else:
<a href="#problem" data-location="${problem['location'].to_deprecated_string()}" class="problem-button">${problem['problem_name']}</a> <a href="#problem" data-location="${problem['location'] | h}" class="problem-button">${problem['problem_name']}</a>
%endif %endif
</td> </td>
<td> <td>
......
lms/templates/peer_grading/peer_grading_problem.html
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<section class="container peer-grading-container"> <section class="container peer-grading-container">
<div class="peer-grading" data-ajax-url="${ajax_url}" data-location="${problem_location.to_deprecated_string()}" data-use-single-location="${use_single_location}"> <div class="peer-grading" data-ajax-url="${ajax_url}" data-location="${problem_location | h}" data-use-single-location="${use_single_location}">
<div class="error-container"></div> <div class="error-container"></div>
<section class="content-panel"> <section class="content-panel">
......
lms/templates/shoppingcart/receipt.html
...@@ -52,7 +52,7 @@ ...@@ -52,7 +52,7 @@
% if item.status == "purchased": % if item.status == "purchased":
<td>${item.qty}</td> <td>${item.qty}</td>
<td>${item.line_desc}</td> <td>${item.line_desc}</td>
<td><a href="${course_id}" class="enter-course">${_('View Course')}</a></td> <td><a href="${course_id | h}" class="enter-course">${_('View Course')}</a></td>
<td>${"{0:0.2f}".format(item.unit_cost)} <td>${"{0:0.2f}".format(item.unit_cost)}
% if item.list_price != None: % if item.list_price != None:
<span class="old-price"> ${"{0:0.2f}".format(item.list_price)}</span> <span class="old-price"> ${"{0:0.2f}".format(item.list_price)}</span>
......
lms/templates/staff_problem_info.html
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<%! from django.template.defaultfilters import escapejs %>
<%namespace name='static' file='/static_content.html'/> <%namespace name='static' file='/static_content.html'/>
## The JS for this is defined in xqa_interface.html ## The JS for this is defined in xqa_interface.html
...@@ -9,10 +10,10 @@ ${block_content} ...@@ -9,10 +10,10 @@ ${block_content}
<a href="${edit_link}">Edit</a> <a href="${edit_link}">Edit</a>
% if xqa_key: % if xqa_key:
/ <a href="#${element_id}_xqa-modal" onclick="javascript:getlog('${element_id}', { / <a href="#${element_id}_xqa-modal" onclick="javascript:getlog('${element_id}', {
'location': '${location}', 'location': '${location | h}',
'xqa_key': '${xqa_key}', 'xqa_key': '${xqa_key | h}',
'category': '${category}', 'category': '${category | h}',
'user': '${user}' 'user': '${user | h}'
})" id="${element_id}_xqa_log">QA</a> })" id="${element_id}_xqa_log">QA</a>
% endif % endif
</div> </div>
...@@ -58,10 +59,10 @@ ${block_content} ...@@ -58,10 +59,10 @@ ${block_content}
<div class="staff_actions"> <div class="staff_actions">
<h3>${_('Actions')}</h3> <h3>${_('Actions')}</h3>
<div> <div>
<label for="sd_fu_${location.name}">${_('Username')}:</label> <label for="sd_fu_${location.name | h}">${_('Username')}:</label>
<input type="text" id="sd_fu_${location.name}" placeholder="${user.username}"/> <input type="text" id="sd_fu_${location.name | h}" placeholder="${user.username}"/>
</div> </div>
<div data-location="${location.to_deprecated_string()}" data-location-name="${location.name}"> <div data-location="${location | h}" data-location-name="${location.name | h}">
[ [
<a href="#" class="staff-debug-reset">${_('Reset Student Attempts')}</a> <a href="#" class="staff-debug-reset">${_('Reset Student Attempts')}</a>
% if has_instructor_access: % if has_instructor_access:
...@@ -72,7 +73,7 @@ ${block_content} ...@@ -72,7 +73,7 @@ ${block_content}
% endif % endif
] ]
</div> </div>
<div id="result_${location.name}"/> <div id="result_${location.name | h}"/>
</div> </div>
<div class="staff_info" style="display:block"> <div class="staff_info" style="display:block">
...@@ -106,7 +107,7 @@ category = ${category | h} ...@@ -106,7 +107,7 @@ category = ${category | h}
<form id="${element_id}_history_form"> <form id="${element_id}_history_form">
<label for="${element_id}_history_student_username">${_("User:")}</label> <label for="${element_id}_history_student_username">${_("User:")}</label>
<input id="${element_id}_history_student_username" type="text" placeholder=""/> <input id="${element_id}_history_student_username" type="text" placeholder=""/>
<input type="hidden" id="${element_id}_history_location" value="${location.to_deprecated_string()}"/> <input type="hidden" id="${element_id}_history_location" value="${location | h}"/>
<div class="submit"> <div class="submit">
<button name="submit" type="submit">${_("View History")}</button> <button name="submit" type="submit">${_("View History")}</button>
</div> </div>
...@@ -129,7 +130,7 @@ $(function () { ...@@ -129,7 +130,7 @@ $(function () {
null, null,
%endif %endif
{ {
'location': '${location.to_deprecated_string()}', 'location': '${location | escapejs}',
'xqa_key': '${xqa_key}', 'xqa_key': '${xqa_key}',
'category': '${category}', 'category': '${category}',
'user': '${user}' 'user': '${user}'
......
lms/templates/sysadmin_dashboard_gitlogs.html
...@@ -75,7 +75,7 @@ textarea { ...@@ -75,7 +75,7 @@ textarea {
%if course_id is not None: %if course_id is not None:
## Translators: Git is a version-control system; see http://git-scm.com/about ## Translators: Git is a version-control system; see http://git-scm.com/about
<h2>${_('Recent git load activity for {course_id}').format(course_id=course_id)}</h2> <h2>${_('Recent git load activity for {course_id}').format(course_id=course_id) | h}</h2>
%if error_msg: %if error_msg:
<h3>${_('Error')}:</h3> <h3>${_('Error')}:</h3>
<p>${error_msg}</p> <p>${error_msg}</p>
...@@ -100,15 +100,13 @@ textarea { ...@@ -100,15 +100,13 @@ textarea {
%> %>
% for cil in logs: % for cil in logs:
<% <%
course_id_string = cil.course_id.to_deprecated_string() if cil.course_id else None
# Appropriate datetime string for current locale and timezone # Appropriate datetime string for current locale and timezone
date = get_time_display(cil.created.replace(tzinfo=UTC), date = get_time_display(cil.created.replace(tzinfo=UTC),
DEFAULT_DATE_TIME_FORMAT, coerce_tz=settings.TIME_ZONE) DEFAULT_DATE_TIME_FORMAT, coerce_tz=settings.TIME_ZONE)
%> %>
<tr> <tr>
<td>${date}</td> <td>${date}</td>
<td><a href="${reverse('gitlogs')}/${course_id_string}">${course_id_string}</a></td> <td><a href="${reverse('gitlogs_detail', kwargs={'course_id': unicode(cil.course_id)})}">${cil.course_id | h}</a></td>
<td>${cil.git_log}</td> <td>${cil.git_log}</td>
</tr> </tr>
%endfor %endfor
......
lms/templates/verify_student/midcourse_photo_reverification.html
...@@ -174,7 +174,7 @@ ...@@ -174,7 +174,7 @@
<li class="wizard-step step-proceed"> <li class="wizard-step step-proceed">
<form id="reverify_form" method="post"> <form id="reverify_form" method="post">
<input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }"> <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
<input type="hidden" name="course_id" value="${course_id}"> <input type="hidden" name="course_id" value="${course_id | h}">
<input class="action-primary disabled" type="button" id="midcourse_reverify_button" value="${_('Submit photos &amp; re-verify')}" name="payment"> <input class="action-primary disabled" type="button" id="midcourse_reverify_button" value="${_('Submit photos &amp; re-verify')}" name="payment">
</form> </form>
</li> </li>
......
lms/templates/verify_student/verified.html
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<%! from django.core.urlresolvers import reverse %> <%! from django.core.urlresolvers import reverse %>
<%! from django.template.defaultfilters import escapejs %>
<%inherit file="../main.html" /> <%inherit file="../main.html" />
<%namespace name='static' file='/static_content.html'/> <%namespace name='static' file='/static_content.html'/>
...@@ -14,7 +15,7 @@ var submitToPaymentProcessing = function(event) { ...@@ -14,7 +15,7 @@ var submitToPaymentProcessing = function(event) {
var xhr = $.post( var xhr = $.post(
"${create_order_url}", "${create_order_url}",
{ {
"course_id" : "${course_id}", "course_id" : "${course_id | escapejs}",
}, },
function(data) { function(data) {
for (prop in data) { for (prop in data) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment