Merge pull request #11200 from edx/mushtaq/ecom2082-fix-enrollment-msg

Escape Course Name in enrolment message

Merge pull request #11200 from edx/mushtaq/ecom2082-fix-enrollment-msg
Escape Course Name in enrolment message
d8b902ad · Mushtaq Ali · 4938601c · 8f76f338 · d8b902ad · d8b902ad
Commit d8b902ad authored Jan 20, 2016 by Mushtaq Ali
8 changed files
--- a/cms/djangoapps/contentstore/tests/test_contentstore.py
+++ b/cms/djangoapps/contentstore/tests/test_contentstore.py
@@ -1430,7 +1430,7 @@ class ContentStoreTest(ContentStoreTestCase, XssTestMixin):
            html = '<script>alert("{name} XSS")</script>'.format(
                name=xss
            )
-            self.assert_xss(resp, html)
+            self.assert_no_xss(resp, html)

    def test_course_overview_view_with_course(self):
        """Test viewing the course overview page with an existing course"""

--- a/common/djangoapps/student/tests/test_recent_enrollments.py
+++ b/common/djangoapps/student/tests/test_recent_enrollments.py
@@ -16,11 +16,12 @@ from xmodule.modulestore.tests.factories import CourseFactory
 from course_modes.tests.factories import CourseModeFactory
 from student.models import CourseEnrollment, DashboardConfiguration
 from student.views import get_course_enrollments, _get_recently_enrolled_courses
+from common.test.utils import XssTestMixin


 @unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms')
 @ddt.ddt
-class TestRecentEnrollments(ModuleStoreTestCase):
+class TestRecentEnrollments(ModuleStoreTestCase, XssTestMixin):
    """
    Unit tests for getting the list of courses for a logged in user
    """
@@ -126,6 +127,30 @@ class TestRecentEnrollments(ModuleStoreTestCase):
        response = self.client.get(reverse("dashboard"))
        self.assertContains(response, "Thank you for enrolling in")

+    def test_dashboard_escaped_rendering(self):
+        """
+        Tests that the dashboard renders the escaped recent enrollment messages appropriately.
+        """
+        self._configure_message_timeout(600)
+        self.client.login(username=self.student.username, password=self.PASSWORD)
+
+        # New Course
+        course_location = locator.CourseLocator('TestOrg', 'TestCourse', 'TestRun')
+        xss_content = "<script>alert('XSS')</script>"
+        course = CourseFactory.create(
+            org=course_location.org,
+            number=course_location.course,
+            run=course_location.run,
+            display_name=xss_content
+        )
+        CourseEnrollment.enroll(self.student, course.id)
+
+        response = self.client.get(reverse("dashboard"))
+        self.assertContains(response, "Thank you for enrolling in")
+
+        # Check if response is escaped
+        self.assert_no_xss(response, xss_content)
+
    @ddt.data(
        # Register as honor in any course modes with no payment option
        ([('audit', 0), ('honor', 0)], 'honor', True),

--- a/common/test/utils.py
+++ b/common/test/utils.py
@@ -34,7 +34,7 @@ class XssTestMixin(object):
    Mixin for testing XSS vulnerabilities.
    """

-    def assert_xss(self, response, xss_content):
+    def assert_no_xss(self, response, xss_content):
        """Assert that `xss_content` is not present in the content of
        `response`, and that its escaped version is present. Uses the
        same `markupsafe.escape` function as Mako templates.

--- a/lms/djangoapps/courseware/tests/test_course_survey.py
+++ b/lms/djangoapps/courseware/tests/test_course_survey.py
@@ -233,4 +233,4 @@ class SurveyViewsTests(LoginEnrollmentTestCase, ModuleStoreTestCase, XssTestMixi
                kwargs={'course_id': unicode(self.course.id)}
            )
        )
-        self.assert_xss(response, '<script>alert("XSS")</script>')
+        self.assert_no_xss(response, '<script>alert("XSS")</script>')
--- a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
+++ b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
@@ -113,7 +113,7 @@ class TestInstructorDashboard(ModuleStoreTestCase, LoginEnrollmentTestCase, XssT
        with script tags.
        """
        response = self.client.get(self.url)
-        self.assert_xss(response, '<script>alert("XSS")</script>')
+        self.assert_no_xss(response, '<script>alert("XSS")</script>')

    @override_settings(PAID_COURSE_REGISTRATION_CURRENCY=['PKR', 'Rs'])
    def test_override_currency_settings_in_the_html_response(self):

--- a/lms/djangoapps/shoppingcart/tests/test_views.py
+++ b/lms/djangoapps/shoppingcart/tests/test_views.py
@@ -938,7 +938,7 @@ class ShoppingCartViewsTests(SharedModuleStoreTestCase, XssTestMixin):
        self.login_user()
        url = reverse('shoppingcart.views.show_receipt', args=[self.cart.id])
        resp = self.client.get(url)
-        self.assert_xss(resp, '<script>alert("XSS")</script>')
+        self.assert_no_xss(resp, '<script>alert("XSS")</script>')

    @patch('shoppingcart.views.render_to_response', render_mock)
    def test_reg_code_xss(self):
@@ -954,7 +954,7 @@ class ShoppingCartViewsTests(SharedModuleStoreTestCase, XssTestMixin):
        redeem_url = reverse('register_code_redemption', args=[self.reg_code])
        redeem_response = self.client.get(redeem_url)

-        self.assert_xss(redeem_response, '<script>alert("XSS")</script>')
+        self.assert_no_xss(redeem_response, '<script>alert("XSS")</script>')

    def test_show_receipt_json_multiple_items(self):
        # Two different item types

--- a/lms/djangoapps/verify_student/tests/test_views.py
+++ b/lms/djangoapps/verify_student/tests/test_views.py
@@ -301,7 +301,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin):
        response = self._get_page('verify_student_verify_now', course.id)

        self._assert_messaging(response, PayAndVerifyView.VERIFY_NOW_MSG)
-        self.assert_xss(response, '<script>alert("XSS")</script>')
+        self.assert_no_xss(response, '<script>alert("XSS")</script>')

        # Expect that *all* steps are displayed,
        # but we start after the payment step (because it's already completed).
@@ -375,7 +375,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin):

        self._assert_messaging(response, PayAndVerifyView.PAYMENT_CONFIRMATION_MSG)

-        self.assert_xss(response, '<script>alert("XSS")</script>')
+        self.assert_no_xss(response, '<script>alert("XSS")</script>')

        # Expect that *all* steps are displayed,
        # but we start at the payment confirmation step
@@ -410,7 +410,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin):

        self._assert_messaging(response, PayAndVerifyView.FIRST_TIME_VERIFY_MSG)

-        self.assert_xss(response, '<script>alert("XSS")</script>')
+        self.assert_no_xss(response, '<script>alert("XSS")</script>')

        # Expect that *all* steps are displayed,
        # but we start on the first verify step
@@ -497,7 +497,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin):
            PayAndVerifyView.WEBCAM_REQ,
        ])
        self._assert_upgrade_session_flag(True)
-        self.assert_xss(response, '<script>alert("XSS")</script>')
+        self.assert_no_xss(response, '<script>alert("XSS")</script>')

    def test_upgrade_already_verified(self):
        course = self._create_course("verified")

--- a/lms/templates/enrollment/course_enrollment_message.html
+++ b/lms/templates/enrollment/course_enrollment_message.html
-<%! from django.utils.translation import ugettext as _ %>
+<%! from util.markup import ugettext as _ %>
+<%page expression_filter="h"/>
 % for course_msg in course_enrollment_messages:
    <div class="wrapper-msg urgency-high">
        <div class="msg has-actions">