Skip to content

E
edx-platform
Commit bdef3bed by cahrens
Options

Fix escaping in course discovery templates.

parent dab77fda
Showing with 45 additions and 43 deletions
lms/static/js/discovery/views/refine_sidebar.js
...@@ -4,8 +4,8 @@ define([ ...@@ -4,8 +4,8 @@ define([
'jquery', 'jquery',
'underscore', 'underscore',
'backbone', 'backbone',
'gettext' 'edx-ui-toolkit/js/utils/html-utils'
], function ($, _, Backbone, gettext) { ], function ($, _, Backbone, HtmlUtils) {
'use strict'; 'use strict';
return Backbone.View.extend({ return Backbone.View.extend({
...@@ -18,10 +18,10 @@ define([ ...@@ -18,10 +18,10 @@ define([
}, },
initialize: function (options) { initialize: function (options) {
this.meanings = options.meanings || {} this.meanings = options.meanings || {};
this.$container = this.$el.find('.search-facets-lists'); this.$container = this.$el.find('.search-facets-lists');
this.facetTpl = _.template($('#facet-tpl').html()); this.facetTpl = HtmlUtils.template($('#facet-tpl').html());
this.facetOptionTpl = _.template($('#facet_option-tpl').html()); this.facetOptionTpl = HtmlUtils.template($('#facet_option-tpl').html());
}, },
facetName: function (key) { facetName: function (key) {
...@@ -35,31 +35,32 @@ define([ ...@@ -35,31 +35,32 @@ define([
}, },
renderOptions: function (options) { renderOptions: function (options) {
var html = _.map(options, function(option) { return HtmlUtils.joinHtml.apply(this, _.map(options, function(option) {
var data = _.clone(option.attributes); var data = _.clone(option.attributes);
data.name = this.termName(data.facet, data.term); data.name = this.termName(data.facet, data.term);
return this.facetOptionTpl(data); return this.facetOptionTpl(data);
}, this).join(''); }, this));
return html;
}, },
renderFacet: function (facetKey, options) { renderFacet: function (facetKey, options) {
return this.facetTpl({ return this.facetTpl({
name: facetKey, name: facetKey,
displayName: this.facetName(facetKey), displayName: this.facetName(facetKey),
options: this.renderOptions(options), optionsHtml: this.renderOptions(options),
listIsHuge: (options.length > 9) listIsHuge: (options.length > 9)
}); });
}, },
render: function () { render: function () {
var grouped = this.collection.groupBy('facet'); var grouped = this.collection.groupBy('facet');
var html = _.map(grouped, function(options, facetKey) { var htmlSnippet = HtmlUtils.joinHtml.apply(
if (options.length > 0) { this, _.map(grouped, function(options, facetKey) {
return this.renderFacet(facetKey, options); if (options.length > 0) {
} return this.renderFacet(facetKey, options);
}, this).join(''); }
this.$container.html(html); }, this)
);
HtmlUtils.setHtml(this.$container, htmlSnippet);
return this; return this;
}, },
...@@ -90,7 +91,7 @@ define([ ...@@ -90,7 +91,7 @@ define([
$target.data('value'), $target.data('value'),
$target.data('text') $target.data('text')
); );
}, }
}); });
......
lms/templates/course.html
...@@ -3,27 +3,27 @@ ...@@ -3,27 +3,27 @@
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
%> %>
<%page args="course" /> <%page args="course" expression_filter="h"/>
<article class="course" id="${course.id | h}" role="region" aria-label="${course.display_name_with_default_escaped}"> <article class="course" id="${course.id}" role="region" aria-label="${course.display_name_with_default}">
<a href="${reverse('about_course', args=[course.id.to_deprecated_string()])}"> <a href="${reverse('about_course', args=[course.id.to_deprecated_string()])}">
<header class="course-image"> <header class="course-image">
<div class="cover-image"> <div class="cover-image">
<img src="${course.course_image_url | h}" alt="${course.display_name_with_default_escaped} ${course.display_number_with_default | h}" /> <img src="${course.course_image_url}" alt="${course.display_name_with_default} ${course.display_number_with_default}" />
<div class="learn-more" aria-hidden=true>${_("LEARN MORE")}</div> <div class="learn-more" aria-hidden=true>${_("LEARN MORE")}</div>
</div> </div>
</header> </header>
<div class="course-info" aria-hidden="true"> <div class="course-info" aria-hidden="true">
<h2 class="course-name"> <h2 class="course-name">
<span class="course-organization">${course.display_org_with_default | h}</span> <span class="course-organization">${course.display_org_with_default}</span>
<span class="course-code">${course.display_number_with_default | h}</span> <span class="course-code">${course.display_number_with_default}</span>
<span class="course-title">${course.display_name_with_default_escaped}</span> <span class="course-title">${course.display_name_with_default}</span>
</h2> </h2>
<div class="course-date" aria-hidden="true">${_("Starts")}: ${course.start_datetime_text()}</div> <div class="course-date" aria-hidden="true">${_("Starts")}: ${course.start_datetime_text()}</div>
</div> </div>
<div class="sr"> <div class="sr">
<ul> <ul>
<li>${course.display_org_with_default | h}</li> <li>${course.display_org_with_default}</li>
<li>${course.display_number_with_default | h}</li> <li>${course.display_number_with_default}</li>
<li>${_("Starts")}: <time itemprop="startDate" datetime="${course.start_datetime_text()}">${course.start_datetime_text()}</time></li> <li>${_("Starts")}: <time itemprop="startDate" datetime="${course.start_datetime_text()}">${course.start_datetime_text()}</time></li>
</ul> </ul>
</div> </div>
......
lms/templates/courses_list.html
<%page expression_filter="h"/>
<%namespace name='static' file='static_content.html'/> <%namespace name='static' file='static_content.html'/>
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
......
lms/templates/discovery/course_card.underscore
<article class="course" role="region" aria-label="<%= content.display_name %>"> <article class="course" role="region" aria-label="<%- content.display_name %>">
<a href="/courses/<%- course %>/about"> <a href="/courses/<%- course %>/about">
<header class="course-image"> <header class="course-image">
<div class="cover-image"> <div class="cover-image">
<img src="<%- image_url %>" alt="<%= content.display_name %> <%= content.number %>" /> <img src="<%- image_url %>" alt="<%- content.display_name %> <%- content.number %>" />
<div class="learn-more" aria-hidden=true><%= gettext("LEARN MORE") %></div> <div class="learn-more" aria-hidden=true><%- gettext("LEARN MORE") %></div>
</div> </div>
</header> </header>
<section class="course-info" aria-hidden="true"> <section class="course-info" aria-hidden="true">
<h2 class="course-name"> <h2 class="course-name">
<span class="course-organization"><%= org %></span> <span class="course-organization"><%- org %></span>
<span class="course-code"><%= content.number %></span> <span class="course-code"><%- content.number %></span>
<span class="course-title"><%= content.display_name %></span> <span class="course-title"><%- content.display_name %></span>
</h2> </h2>
<div class="course-date" aria-hidden="true"> <div class="course-date" aria-hidden="true">
<%= interpolate( <%- interpolate(
gettext("Starts: %(start_date)s"), gettext("Starts: %(start_date)s"),
{ start_date: start }, true { start_date: start }, true
) %> ) %>
...@@ -21,9 +21,9 @@ ...@@ -21,9 +21,9 @@
</section> </section>
<div class="sr"> <div class="sr">
<ul> <ul>
<li><%= org %></li> <li><%- org %></li>
<li><%= content.number %></li> <li><%- content.number %></li>
<li><%= gettext("Starts") %><time itemprop="startDate" datetime="<%- start %>"><%- start %></time></li> <li><%- gettext("Starts") %><time itemprop="startDate" datetime="<%- start %>"><%- start %></time></li>
</ul> </ul>
</div> </div>
</a> </a>
......
lms/templates/discovery/facet.underscore
<h3 class="header-facet"> <h3 class="header-facet">
<%= displayName %> <%- displayName %>
</h3> </h3>
<ul data-facet="<%= name %>" class="facet-list collapse"> <ul data-facet="<%- name %>" class="facet-list collapse">
<%= options %> <%= HtmlUtils.ensureHtml(optionsHtml) %>
</ul> </ul>
<% if (listIsHuge) { %> <% if (listIsHuge) { %>
<div class="toggle "> <div class="toggle ">
<button class="show-more discovery-button"> <button class="show-more discovery-button">
<%= gettext("More") %> <%- gettext("More") %>
</button> </button>
<button class="show-less hidden discovery-button"> <button class="show-less hidden discovery-button">
<%= gettext("Less") %> <%- gettext("Less") %>
</button> </button>
</div> </div>
<% } %> <% } %>
lms/templates/discovery/facet_option.underscore
<li> <li>
<button data-facet="<%= facet %>" data-value="<%= term %>" data-text="<%= name %>" class="facet-option discovery-button <%= selected ? 'selected' : '' %>"> <button data-facet="<%- facet %>" data-value="<%- term %>" data-text="<%- name %>" class="facet-option discovery-button <%- selected ? 'selected' : '' %>">
<%= name %> <%- name %>
<span class="count"> <span class="count">
<span class="count-number"><%= count %></span> <span class="count-number"><%- count %></span>
</span> </span>
</button> </button>
</li> </li>
lms/templates/discovery/filter_bar.underscore
<div class="filters-inner"> <div class="filters-inner">
<ul class="active-filters facet-list"></ul> <ul class="active-filters facet-list"></ul>
<button id="clear-all-filters" class="clear-filters flt-right discovery-button"><%= gettext('Clear All') %></button> <button id="clear-all-filters" class="clear-filters flt-right discovery-button"><%- gettext('Clear All') %></button>
</div> </div>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment