Skip to content

E
edx-platform
Commit e424ce8a by Jesse Zoldak
Options

Merge pull request #8196 from edx/release 

Merge hotfix from release to master
parents dc04f08e 019da46c
Showing with 42 additions and 2 deletions
lms/templates/student_profile/learner_profile.html
<%! import json %> <%! import json %>
<%! from django.core.urlresolvers import reverse %> <%! from django.core.urlresolvers import reverse %>
<%! from django.utils.translation import ugettext as _ %> <%! from django.utils.translation import ugettext as _ %>
<%! from xmodule.modulestore import EdxJSONEncoder %> <%! from openedx.core.lib.json_utils import EscapedEdxJSONEncoder %>
<%inherit file="/main.html" /> <%inherit file="/main.html" />
<%namespace name='static' file='/static_content.html'/> <%namespace name='static' file='/static_content.html'/>
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
<script> <script>
(function (require) { (function (require) {
require(['js/student_profile/views/learner_profile_factory'], function(setupLearnerProfile) { require(['js/student_profile/views/learner_profile_factory'], function(setupLearnerProfile) {
var options = ${ json.dumps(data, cls=EdxJSONEncoder) }; var options = ${ json.dumps(data, cls=EscapedEdxJSONEncoder) };
setupLearnerProfile(options); setupLearnerProfile(options);
}); });
}).call(this, require || RequireJS.require); }).call(this, require || RequireJS.require);
......
openedx/core/lib/json_utils.py 0 → 100644
"""
Utilities for dealing with JSON.
"""
import simplejson
from xmodule.modulestore import EdxJSONEncoder
class EscapedEdxJSONEncoder(EdxJSONEncoder):
"""
Class for encoding edx JSON which will be printed inline into HTML
templates.
"""
def encode(self, obj):
"""
Encodes JSON that is safe to be embedded in HTML.
"""
return simplejson.dumps(
simplejson.loads(super(EscapedEdxJSONEncoder, self).encode(obj)),
cls=simplejson.JSONEncoderForHTML
)
openedx/core/lib/tests/test_json_utils.py 0 → 100644
"""
Tests for json_utils.py
"""
import json
from unittest import TestCase
from openedx.core.lib.json_utils import EscapedEdxJSONEncoder
class TestEscapedEdxJSONEncoder(TestCase):
"""Test the EscapedEdxJSONEncoder class."""
def test_escapes_forward_slashes(self):
"""Verify that we escape forward slashes with backslashes."""
malicious_json = {'</script><script>alert("hello, ");</script>': '</script><script>alert("world!");</script>'}
self.assertNotIn(
'</script>',
json.dumps(malicious_json, cls=EscapedEdxJSONEncoder)
)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment