Skip to content

E
edx-platform
Commit d6688de7 by Adam
Options

Merge pull request #5097 from edx/hotfix/2014-09-05b 

Hotfix/2014 09 05b
parents b1ada028 2bf9404d
Showing with 30 additions and 5 deletions
common/static/coffee/spec/discussion/view/discussion_thread_view_spec.coffee
......@@ -124,6 +124,32 @@ describe "DiscussionThreadView", ->
expect($(".post-body").text()).toEqual(expectedAbbreviation)
expect(DiscussionThreadShowView.prototype.convertMath).toHaveBeenCalled()
it "strips script tags appropriately", ->
DiscussionViewSpecHelper.setNextResponseContent({resp_total: 0, children: []})
longMaliciousBody = new Array(100).join("<script>alert('Until they think warm days will never cease');</script>\n")
@thread.set("body", longMaliciousBody)
maliciousAbbreviation = DiscussionUtil.abbreviateString(@thread.get('body'), 140)
# The nodes' html should be different than the strings, but
# their texts should be the same, indicating that they've been
# properly escaped. To be safe, make sure the string "<script"
# isn't present, either
@view.render()
expect($(".post-body").html()).not.toEqual(maliciousAbbreviation)
expect($(".post-body").text()).toEqual(maliciousAbbreviation)
expect($(".post-body").html()).not.toContain("<script")
@view.expand()
expect($(".post-body").html()).not.toEqual(longMaliciousBody)
expect($(".post-body").text()).toEqual(longMaliciousBody)
expect($(".post-body").html()).not.toContain("<script")
@view.collapse()
expect($(".post-body").html()).not.toEqual(maliciousAbbreviation)
expect($(".post-body").text()).toEqual(maliciousAbbreviation)
expect($(".post-body").html()).not.toContain("<script")
describe "for question threads", ->
beforeEach ->
@thread.set("thread_type", "question")
......
common/static/coffee/src/discussion/views/discussion_thread_view.coffee
......@@ -62,7 +62,7 @@ if Backbone?
if event
event.preventDefault()
@$el.addClass("expanded")
@$el.find(".post-body").html(@model.get("body"))
@$el.find(".post-body").text(@model.get("body"))
@showView.convertMath()
@$el.find(".forum-thread-expand").hide()
@$el.find(".forum-thread-collapse").show()
......@@ -74,7 +74,7 @@ if Backbone?
if event
event.preventDefault()
@$el.removeClass("expanded")
@$el.find(".post-body").html(@getAbbreviatedBody())
@$el.find(".post-body").text(@getAbbreviatedBody())
@showView.convertMath()
@$el.find(".forum-thread-expand").show()
@$el.find(".forum-thread-collapse").hide()
......
lms/templates/instructor/instructor_dashboard_2/e-commerce.html
......@@ -99,7 +99,6 @@
<tr class="coupons-headings">
<th class="c_code">${_("Code")}</th>
<th class="c_dsc">${_("Description")}</th>
<th class="c_course_id">${_("Course_id")}</th>
<th class="c_discount">${_("Discount (%)")}</th>
<th class="c_count">${_("Count")}</th>
<th class="c_action">${_("Actions")}</th>
......@@ -114,7 +113,6 @@
%endif
<td>${coupon.code}</td>
<td>${coupon.description}</td>
<td>${coupon.course_id.to_deprecated_string()}</td>
<td>${coupon.percentage_discount}</td>
<td>
${ coupon.couponredemption_set.all().count() }
......
lms/templates/shoppingcart/receipt.html
<%! from django.utils.translation import ugettext as _ %>
<%! from django.core.urlresolvers import reverse %>
<%! from django.conf import settings %>
<%! from microsite_configuration import microsite %>
<%inherit file="../main.html" />
......@@ -22,7 +23,7 @@
<section class="wrapper cart-list">
<div class="wrapper-content-main">
<article class="content-main">
<h1>${_(settings.PLATFORM_NAME + " (" + settings.SITE_NAME + ")" + " Electronic Receipt")}</h1>
<h1>${_("{platform_name} ({site_name}) Electronic Receipt").format(platform_name=microsite.get_value('platform_name', settings.PLATFORM_NAME), site_name=microsite.get_value('SITE_NAME', settings.SITE_NAME))}</h1>
<hr />
<table class="order-receipt">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment