Merge pull request #11797 from edx/christina/fix-improper-escaping

Fix improper escaping.

Merge pull request #11797 from edx/christina/fix-improper-escaping
Fix improper escaping.
e2c4131a · Eric Fischer · 4f5589e3 · 358ed255 · e2c4131a · e2c4131a
Commit e2c4131a authored Mar 22, 2016 by Eric Fischer
4 changed files
--- a/cms/static/js/views/content_group_details.js
+++ b/cms/static/js/views/content_group_details.js
@@ -75,18 +75,18 @@ define([
        },

        getOutlineAnchorMessage: function () {
-            var message = gettext(
+            var message = _.escape(gettext(
                    /*
                        Translators: 'outlineAnchor' is an anchor pointing to
                        the course outline page.
                    */
                    'This content group is not in use. Add a content group to any unit from the %(outlineAnchor)s.'
-                ),
+                )),
                anchor = str.sprintf(
                    '<a href="%(url)s" title="%(text)s">%(text)s</a>',
                    {
                            url: this.model.collection.parents[0].outlineUrl,
-                            text: gettext('Course Outline')
+                            text: _.escape(gettext('Course Outline'))
                    }
                );


--- a/cms/templates/js/content-group-details.underscore
+++ b/cms/templates/js/content-group-details.underscore
@@ -3,7 +3,7 @@
        <h3 class="title">
            <a href="#" class="toggle group-toggle <% if (showContentGroupUsages){ print('hide'); } else { print('show'); } %>-groups">
                <i class="ui-toggle-expansion icon fa fa-caret-<% if (showContentGroupUsages){ print('down'); } else { print('right'); } %>"></i>
-                <%= name %>
+                <%- name %>
            </a>
        </h3>
    </header>
@@ -11,28 +11,28 @@
   <ol class="collection-info group-configuration-info group-configuration-info-<% if(showContentGroupUsages){ print('block'); } else { print('inline'); } %>">
     <% if (!_.isUndefined(id)) { %>
         <li class="group-configuration-id"
-             ><span class="group-configuration-label"><%= gettext('ID') %>: </span
-             ><span class="group-configuration-value"><%= id %></span
+             ><span class="group-configuration-label"><%- gettext('ID') %>: </span
+             ><span class="group-configuration-value"><%- id %></span
         ></li>
     <% } %>
     <% if (!showContentGroupUsages) { %>
          <li class="group-configuration-usage-count">
-             <%= usageCountMessage %>
+             <%- usageCountMessage %>
         </li>
     <% } %>
   </ol>

    <ul class="actions group-configuration-actions">
        <li class="action action-edit">
-            <button class="edit"><i class="icon fa fa-pencil"></i> <%= gettext("Edit") %></button>
+            <button class="edit"><i class="icon fa fa-pencil"></i> <%- gettext("Edit") %></button>
        </li>
        <% if (_.isEmpty(usage)) { %>
-            <li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Delete') %>">
-                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+            <li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Delete') %>">
+                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
            </li>
        <% } else { %>
-            <li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Cannot delete when in use by a unit') %>">
-                <button class="delete action-icon is-disabled" aria-disabled="true" disabled="disabled"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+            <li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Cannot delete when in use by a unit') %>">
+                <button class="delete action-icon is-disabled" aria-disabled="true" disabled="disabled"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
            </li>
        <% } %>
    </ul>
@@ -41,17 +41,18 @@
 <% if (showContentGroupUsages) { %>
  <div class="collection-references wrapper-group-configuration-usages">
    <% if (!_.isEmpty(usage)) { %>
-      <h4 class="intro group-configuration-usage-text"><%= gettext('This content group is used in:') %></h4>
+      <h4 class="intro group-configuration-usage-text"><%- gettext('This content group is used in:') %></h4>
      <ol class="usage group-configuration-usage">
        <% _.each(usage, function(unit) { %>
          <li class="usage-unit group-configuration-usage-unit">
-            <p><a href=<%= unit.url %> ><%= unit.label %></a></p>
+            <p><a href=<%- unit.url %> ><%- unit.label %></a></p>
          </li>
        <% }) %>
      </ol>
    <% } else { %>
        <p class="group-configuration-usage-text">
-        <%= outlineAnchorMessage %>
+          <!-- This contains an anchor link and therefore can't be escaped. -->
+          <%= outlineAnchorMessage %>
        </p>
    <% } %>
  </div>

--- a/cms/templates/js/group-configuration-details.underscore
+++ b/cms/templates/js/group-configuration-details.underscore
@@ -3,7 +3,7 @@
        <h3 class="title group-configuration-title">
            <a href="#" class="toggle group-toggle <% if(showGroups){ print('hide'); } else { print('show'); } %>-groups">
                <i class="ui-toggle-expansion icon fa fa-caret-<% if(showGroups){ print('down'); } else { print('right'); } %>"></i>
-                <%= name %>
+                <%- name %>
            </a>
        </h3>
    </header>
@@ -11,20 +11,20 @@
    <ol class="collection-info group-configuration-info group-configuration-info-<% if(showGroups){ print('block'); } else { print('inline'); } %>">
      <% if (!_.isUndefined(id)) { %>
        <li class="group-configuration-id"
-            ><span class="group-configuration-label"><%= gettext('ID') %>: </span
-            ><span class="group-configuration-value"><%= id %></span
+            ><span class="group-configuration-label"><%- gettext('ID') %>: </span
+            ><span class="group-configuration-value"><%- id %></span
        ></li>
      <% } %>
      <% if (showGroups) { %>
        <li class="collection-description group-configuration-description">
-            <%= description %>
+            <%- description %>
        </li>
      <% } else { %>
        <li class="group-configuration-groups-count">
-            <%= groupsCountMessage %>
+            <%- groupsCountMessage %>
        </li>
        <li class="group-configuration-usage-count">
-            <%= usageCountMessage %>
+            <%- usageCountMessage %>
        </li>
      <% } %>
    </ol>
@@ -34,23 +34,23 @@
      <ol class="collection-items groups groups-<%= index %>">
        <% groups.each(function(group, groupIndex) { %>
          <li class="item group group-<%= groupIndex %>">
-            <span class="name group-name"><%= group.get('name') %></span>
-            <span class="meta group-allocation"><%= allocation %>%</span>
+            <span class="name group-name"><%- group.get('name') %></span>
+            <span class="meta group-allocation"><%- allocation %>%</span>
          </li>
        <% }) %>
      </ol>
    <% } %>
    <ul class="actions group-configuration-actions">
        <li class="action action-edit">
-            <button class="edit"><i class="icon fa fa-pencil"></i> <%= gettext("Edit") %></button>
+            <button class="edit"><i class="icon fa fa-pencil"></i> <%- gettext("Edit") %></button>
        </li>
        <% if (_.isEmpty(usage)) { %>
            <li class="action action-delete wrapper-delete-button">
-                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
            </li>
        <% } else { %>
-            <li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Cannot delete when in use by an experiment') %>">
-                <button class="delete action-icon is-disabled" aria-disabled="true"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+            <li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Cannot delete when in use by an experiment') %>">
+                <button class="delete action-icon is-disabled" aria-disabled="true"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
            </li>
        <% } %>
    </ul>
@@ -58,11 +58,11 @@
 <% if(showGroups) { %>
  <div class="collection-references wrapper-group-configuration-usages">
    <% if (!_.isEmpty(usage)) { %>
-      <h4 class="intro group-configuration-usage-text"><%= gettext('This Group Configuration is used in:') %></h4>
+      <h4 class="intro group-configuration-usage-text"><%- gettext('This Group Configuration is used in:') %></h4>
      <ol class="usage group-configuration-usage">
        <% _.each(usage, function(unit) { %>
          <li class="usage-unit group-configuration-usage-unit">
-            <p><a href=<%= unit.url %> ><%= unit.label %></a></p>
+            <p><a href=<%- unit.url %> ><%- unit.label %></a></p>
            <% if (unit.validation) { %>
              <p>
                <% if (unit.validation.type === 'warning') { %>
@@ -71,7 +71,7 @@
                  <i class="icon fa fa-exclamation-circle"></i>
                <% } %>
                <span class="usage-validation-message group-configuration-validation-message">
-                  <%= unit.validation.text %>
+                  <%- unit.validation.text %>
                </span>
              </p>
            <% } %>
@@ -80,6 +80,7 @@
      </ol>
    <% } else { %>
      <p class="group-configuration-usage-text">
+        <!-- This contains an anchor link and therefore can't be escaped. -->
        <%= outlineAnchorMessage %>
      </p>
    <% } %>

--- a/lms/templates/instructor/instructor_dashboard_2/cohort_management.html
+++ b/lms/templates/instructor/instructor_dashboard_2/cohort_management.html
@@ -2,6 +2,7 @@
 <%namespace name='static' file='../../static_content.html'/>
 <%!
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import js_escaped_string
 from courseware.courses import get_studio_url
 from openedx.core.djangoapps.course_groups.partition_scheme import get_cohorted_user_partition
 %>
@@ -27,7 +28,7 @@ from openedx.core.djangoapps.course_groups.partition_scheme import get_cohorted_
            % for content_group in content_groups:
            {
                id: ${content_group.id},
-                name: "${content_group.name | h}",
+                name: "${content_group.name | n, js_escaped_string}",
                user_partition_id: cohortUserPartitionId
            },
            % endfor