Secure templates used to inject Segment and Optimizely

a104d82e · Renzo Lucioni · 88aa4a90 · a104d82e · a104d82e · a104d82e
Commit a104d82e authored Mar 23, 2016 by Renzo Lucioni
5 changed files
--- a/cms/templates/widgets/segment-io-footer.html
+++ b/cms/templates/widgets/segment-io-footer.html
+<%page expression_filter="h"/>
+<%! from openedx.core.djangolib.js_utils import js_escaped_string %>
+
 % if settings.CMS_SEGMENT_KEY:
    <!-- begin segment footer -->
    <script type="text/javascript">
@@ -6,10 +9,10 @@
        // screws up RequireJS' JQuery initialization.
        var onLoadCallback = function() {
            analytics.identify(
-                "${user.id}",
+                "${ user.id | n, js_escaped_string }",
                {
-                    email: "${user.email}",
-                    username: "${user.username}"
+                    email: "${ user.email | n, js_escaped_string }",
+                    username: "${ ser.username | n, js_escaped_string }"
                },
                {
                    integrations: {

--- a/cms/templates/widgets/segment-io.html
+++ b/cms/templates/widgets/segment-io.html
-<%! from django.template.defaultfilters import escapejs %>
+<%page expression_filter="h"/>
+<%! from openedx.core.djangolib.js_utils import js_escaped_string %>

 % if context_course:
 <%
@@ -11,12 +12,12 @@
 <script type="text/javascript">
  // if inside course, inject the course location into the JS namespace
  %if context_course:
-      var course_location_analytics = "${locator | escapejs}";
+      var course_location_analytics = "${ locator | n, js_escaped_string }";
  %endif

  // Asynchronously load Segment's analytics.js library
  !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","page","once","off","on"];analytics.factory=function(t){return function(){var e=Array.prototype.slice.call(arguments);e.unshift(t);analytics.push(e);return analytics}};for(var t=0;t<analytics.methods.length;t++){var e=analytics.methods[t];analytics[e]=analytics.factory(e)}analytics.load=function(t){var e=document.createElement("script");e.type="text/javascript";e.async=!0;e.src=("https:"===document.location.protocol?"https://":"http://")+"cdn.segment.com/analytics.js/v1/"+t+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(e,n)};analytics.SNIPPET_VERSION="3.1.0";
-  analytics.load("${ settings.CMS_SEGMENT_KEY }");
+  analytics.load("${ settings.CMS_SEGMENT_KEY | n, js_escaped_string }");
  analytics.page();
  }}();
  // Note: user tracking moved to segment-io-footer.html
@@ -26,7 +27,7 @@
 <!-- dummy Segment -->
 <script type="text/javascript">
  %if context_course:
-  var course_location_analytics = "${locator | escapejs}";
+  var course_location_analytics = "${ locator | n, js_escaped_string }";
  %endif
  var analytics = {
    "track": function() {}

--- a/lms/templates/widgets/optimizely.html
+++ b/lms/templates/widgets/optimizely.html
+<%page expression_filter="h"/>
+
 % if settings.OPTIMIZELY_PROJECT_ID and not disable_optimizely:
-<script src=${'//cdn.optimizely.com/js/{}.js'.format(settings.OPTIMIZELY_PROJECT_ID)}></script>
+<script src=${ '//cdn.optimizely.com/js/{}.js'.format(settings.OPTIMIZELY_PROJECT_ID) }></script>
 % endif
--- a/lms/templates/widgets/segment-io-footer.html
+++ b/lms/templates/widgets/segment-io-footer.html
+<%page expression_filter="h"/>
+<%! from openedx.core.djangolib.js_utils import js_escaped_string %>
+
 % if settings.LMS_SEGMENT_KEY:
    <!-- begin segment footer -->
    <script type="text/javascript">
    % if user.is_authenticated():
        $(window).load(function() {
            analytics.identify(
-                "${user.id}",
+                "${ user.id | n, js_escaped_string }",
                {
-                    email: "${user.email}",
-                    username: "${user.username}"
+                    email: "${ user.email | n, js_escaped_string }",
+                    username: "${ user.username | n, js_escaped_string }"
                },
                {
                    integrations: {

--- a/lms/templates/widgets/segment-io.html
+++ b/lms/templates/widgets/segment-io.html
+<%page expression_filter="h"/>
+<%! from openedx.core.djangolib.js_utils import js_escaped_string %>
+
 % if settings.LMS_SEGMENT_KEY:
 <!-- begin Segment -->
 <script type="text/javascript">
  // Asynchronously load Segment's analytics.js library
  !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","page","once","off","on"];analytics.factory=function(t){return function(){var e=Array.prototype.slice.call(arguments);e.unshift(t);analytics.push(e);return analytics}};for(var t=0;t<analytics.methods.length;t++){var e=analytics.methods[t];analytics[e]=analytics.factory(e)}analytics.load=function(t){var e=document.createElement("script");e.type="text/javascript";e.async=!0;e.src=("https:"===document.location.protocol?"https://":"http://")+"cdn.segment.com/analytics.js/v1/"+t+"/analytics.min.js";var n=document.getElementsByTagName("script")[0];n.parentNode.insertBefore(e,n)};analytics.SNIPPET_VERSION="3.1.0";
-  analytics.load("${ settings.LMS_SEGMENT_KEY }");
+  analytics.load("${ settings.LMS_SEGMENT_KEY | n, js_escaped_string }");
  analytics.page();
  }}();
  // Note: user tracking moved to segment-io-footer.html