XSS escape cms/templates/asset_index.html

b91d1f22 · Calen Pennington · 2607f8a9 · b91d1f22
Commit b91d1f22 authored Mar 23, 2016 by Calen Pennington
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 10 deletions

cms/templates/asset_index.html
+13 -10

No files found.
--- a/cms/templates/asset_index.html
+++ b/cms/templates/asset_index.html
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "files" %></%def>
 <%!
  from django.core.urlresolvers import reverse
  from django.utils.translation import ugettext as _
+  from openedx.core.djangolib.markup import Text, HTML
+  from openedx.core.djangolib.js_utils import js_escaped_string, dump_js_escaped_json
 %>
-<%block name="title">${_("Files &amp; Uploads")}</%block>
+<%block name="title">${_("Files & Uploads")}</%block>
 <%block name="bodyclass">is-signedin course uploads view-uploads</%block>

 <%namespace name='static' file='static_content.html'/>
@@ -20,10 +23,10 @@
 <%block name="requirejs">
    require(["js/factories/asset_index"], function (AssetIndexFactory) {
        AssetIndexFactory({
-          assetCallbackUrl: "${asset_callback_url}",
-          uploadChunkSizeInMBs: ${chunk_size_in_mbs},
-          maxFileSizeInMBs: ${max_file_size_in_mbs},
-          maxFileSizeRedirectUrl: "${max_file_size_redirect_url}"
+          assetCallbackUrl: "${asset_callback_url|n, js_escaped_string}",
+          uploadChunkSizeInMBs: ${chunk_size_in_mbs|n, dump_js_escaped_json},
+          maxFileSizeInMBs: ${max_file_size_in_mbs|n, dump_js_escaped_json},
+          maxFileSizeRedirectUrl: "${max_file_size_redirect_url|n, js_escaped_string}"
        });
    });
 </%block>
@@ -34,7 +37,7 @@
    <header class="mast has-actions has-subtitle">
        <h1 class="page-header">
            <small class="subtitle">${_("Content")}</small>
-            <span class="sr">&gt; </span>${_("Files &amp; Uploads")}
+            <span class="sr">&gt; </span>${_("Files & Uploads")}
        </h1>

        <nav class="nav-actions" aria-label="${_('Page Actions')}">
@@ -61,18 +64,18 @@
            <div class="bit">
                <h3 class="title-3">${_("Adding Files for Your Course")}</h3>

-                <p>${_("To add files to use in your course, click {em_start}Upload New File{em_end}. Then follow the prompts to upload a file from your computer.").format(em_start='<strong>', em_end="</strong>")}</p>
+                <p>${Text(_("To add files to use in your course, click {em_start}Upload New File{em_end}. Then follow the prompts to upload a file from your computer.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>

-                <p>${_("{em_start}Caution{em_end}: {platform_name} recommends that you limit the file size to {em_start}10 MB{em_end}. In addition, do not upload video or audio files. You should use a third party service to host multimedia files.").format(em_start='<strong>', em_end="</strong>", platform_name=settings.PLATFORM_NAME)}</p>
+                <p>${Text(_("{em_start}Caution{em_end}: {platform_name} recommends that you limit the file size to {em_start}10 MB{em_end}. In addition, do not upload video or audio files. You should use a third party service to host multimedia files.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"), platform_name=settings.PLATFORM_NAME)}</p>

            	<p>${_("The course image, textbook chapters, and files that appear on your Course Handouts sidebar also appear in this list.")}</p>
            </div>
            <div class="bit">
                <h3 class="title-3">${_("Using File URLs")}</h3>

-                <p>${_("Use the {em_start}{studio_name} URL{em_end} value to link to the file or image from a component, a course update, or a course handout.").format(studio_name=settings.STUDIO_SHORT_NAME, em_start="<strong>", em_end="</strong>")}</p>
+                <p>${Text(_("Use the {em_start}{studio_name} URL{em_end} value to link to the file or image from a component, a course update, or a course handout.")).format(studio_name=settings.STUDIO_SHORT_NAME, em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>

-                <p>${_("Use the {em_start}Web URL{em_end} value to reference the file or image only from outside of your course. {em_start}Note:{em_end} If you lock a file, the Web URL no longer works for external access to a file.").format(em_start='<strong>', em_end="</strong>")}</p>
+                <p>${Text(_("Use the {em_start}Web URL{em_end} value to reference the file or image only from outside of your course. {em_start}Note:{em_end} If you lock a file, the Web URL no longer works for external access to a file.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>

                <p>${_("To copy a URL, double click the value in the URL column, then copy the selected text.")}</p>
            </div>