Udpate to secure by default

Most things were already escaped, including the json.dumps, and we've decided not to use dump_html_escaped_json

Udpate to secure by default
Most things were already escaped, including the json.dumps, and we've decided not to use dump_html_escaped_json
8a85d7e3 · Kevin Falcone · 1b1f3952 · 8a85d7e3
Commit 8a85d7e3 authored Mar 23, 2016 by Kevin Falcone
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

lms/templates/courseware/submission_history.html
+3 -2

No files found.
--- a/lms/templates/courseware/submission_history.html
+++ b/lms/templates/courseware/submission_history.html
+<%page expression_filter="h"/>
 <% import json  %>
-<h3>${username | h} > ${course_id | h} > ${location | h}</h3>
+<h3>${username} > ${course_id} > ${location}</h3>

 % for i, (entry, score) in enumerate(zip(history_entries, scores)):
 <hr/>
@@ -7,7 +8,7 @@
 <b>#${len(history_entries) - i}</b>: ${entry.updated} (${TIME_ZONE} time)</br>
 Score: ${score.grade} / ${score.max_grade}
 <pre>
-${json.dumps(entry.state, indent=2, sort_keys=True) | h}
+${json.dumps(entry.state, indent=2, sort_keys=True)}
 </pre>
 </div>
 % endfor