Merge pull request #9817 from edx/jibsheet/teams-xss-fix

Escape team name in screenreader text.

Merge pull request #9817 from edx/jibsheet/teams-xss-fix
Escape team name in screenreader text.
a428385d · Kevin Falcone · dd7121f6 · dbc0803f · a428385d · a428385d
Commit a428385d authored Sep 17, 2015 by Kevin Falcone
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 8 deletions

common/test/acceptance/tests/lms/test_teams.py
+33 -7

lms/djangoapps/teams/static/teams/js/views/team_card.js
+1 -1

No files found.
--- a/common/test/acceptance/tests/lms/test_teams.py
+++ b/common/test/acceptance/tests/lms/test_teams.py
@@ -8,9 +8,10 @@ import time
 from dateutil.parser import parse
 import ddt
 from nose.plugins.attrib import attr
+from selenium.common.exceptions import TimeoutException
 from uuid import uuid4

-from ..helpers import EventsTestMixin, UniqueCourseTest
+from ..helpers import get_modal_alert, EventsTestMixin, UniqueCourseTest
 from ...fixtures import LMS_BASE_URL
 from ...fixtures.course import CourseFixture
 from ...fixtures.discussion import (
@@ -60,18 +61,23 @@ class TeamsTabBase(EventsTestMixin, UniqueCourseTest):
                'language': 'aa',
                'country': 'AF'
            }
-            response = self.course_fixture.session.post(
-                LMS_BASE_URL + '/api/team/v0/teams/',
-                data=json.dumps(team),
-                headers=self.course_fixture.headers
-            )
+            teams.append(self.post_team_data(team))
            # Sadly, this sleep is necessary in order to ensure that
            # sorting by last_activity_at works correctly when running
            # in Jenkins.
            time.sleep(time_between_creation)
-            teams.append(json.loads(response.text))
        return teams

+    def post_team_data(self, team_data):
+        """Given a JSON representation of a team, post it to the server."""
+        response = self.course_fixture.session.post(
+            LMS_BASE_URL + '/api/team/v0/teams/',
+            data=json.dumps(team_data),
+            headers=self.course_fixture.headers
+        )
+        self.assertEqual(response.status_code, 200)
+        return json.loads(response.text)
+
    def create_membership(self, username, team_id):
        """Assign `username` to `team_id`."""
        response = self.course_fixture.session.post(
@@ -838,6 +844,26 @@ class BrowseTeamsWithinTopicTest(TeamsTabBase):
        with self.assert_events_match_during(self.only_team_events, expected_events=events):
            self.browse_teams_page.visit()

+    def test_team_name_xss(self):
+        """
+        Scenario: Team names should be HTML-escaped on the teams page
+        Given I am enrolled in a course with teams enabled
+        When I visit the Teams page for a topic, with a team name containing JS code
+        Then I should not see any alerts
+        """
+        self.post_team_data({
+            'course_id': self.course_id,
+            'topic_id': self.topic['id'],
+            'name': '<script>alert("XSS")</script>',
+            'description': 'Description',
+            'language': 'aa',
+            'country': 'AF'
+        })
+        with self.assertRaises(TimeoutException):
+            self.browser.get(self.browse_teams_page.url)
+            alert = get_modal_alert(self.browser)
+            alert.accept()
+

 @attr('shard_5')
 class TeamFormActions(TeamsTabBase):

--- a/lms/djangoapps/teams/static/teams/js/views/team_card.js
+++ b/lms/djangoapps/teams/static/teams/js/views/team_card.js
@@ -135,7 +135,7 @@
            actionContent: function() {
                return interpolate(
                    gettext('View %(span_start)s %(team_name)s %(span_end)s'),
-                    {span_start: '<span class="sr">', team_name: this.teamModel().get('name'), span_end: '</span>'},
+                    {span_start: '<span class="sr">', team_name: _.escape(this.teamModel().get('name')), span_end: '</span>'},
                    true
                );
            },