Skip to content

Commit

Permalink
Incident Management security fixes (#25834)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Ali-D-Akbar
Ali-D-Akbar authored Dec 10, 2020
1 parent 134d68d commit 9f92605
Show file tree
Hide file tree
Showing 11 changed files with 101 additions and 58 deletions.
2 changes: 1 addition & 1 deletion common/lib/xmodule/xmodule/assets/split_test/public/js/split_test_staff.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ window.ABTestSelector = function(runtime, elem) {
// force this id to remain a string, even if it looks like something else
var child_group_id = $(this).data('group-id').toString();
if (child_group_id === group_id) {
_this.content_container.html($(this).text());
_this.content_container.html(edx.HtmlUtils.HTML($(this).text()).toString());
XBlock.initializeBlocks(_this.content_container, $(elem).data('request-token'));
}
});
Expand Down
14 changes: 10 additions & 4 deletions common/static/common/js/discussion/views/new_post_view.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,11 @@
startHeader: this.startHeader,
form_id: this.mode + (this.topicId ? '-' + this.topicId : '')
});
this.$el.html(_.template($('#new-post-template').html())(context));
threadTypeTemplate = _.template($('#thread-type-template').html());
edx.HtmlUtils.setHtml(
this.$el,
edx.HtmlUtils.template($('#new-post-template').html())(context)
);
threadTypeTemplate = edx.HtmlUtils.template($('#thread-type-template').html());
if ($('.js-group-select').prop('disabled')) {
$('.group-selector-wrapper').addClass('disabled');
}
Expand All @@ -77,7 +80,7 @@
if (this.course_settings.get('is_discussion_division_enabled')) {
this.topicView.on('thread:topic_change', this.updateVisibilityMessage);
}
this.addField(this.topicView.render());
this.addField(edx.HtmlUtils.HTML(this.topicView.render()));
} else {
this.group_name = this.getGroupName();
this.updateVisibilityMessage(null, this.is_commentable_divided);
Expand All @@ -86,7 +89,10 @@
};

NewPostView.prototype.addField = function(fieldView) {
return this.$('.forum-new-post-form-wrapper').append(fieldView);
return edx.HtmlUtils.append(
this.$('.forum-new-post-form-wrapper'),
fieldView
);
};

NewPostView.prototype.isTabMode = function() {
Expand Down
7 changes: 5 additions & 2 deletions common/static/common/js/discussion/views/response_comment_edit_view.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,11 @@
ResponseCommentEditView.prototype.render = function() {
var context = $.extend({mode: this.options.mode, startHeader: this.options.startHeader},
this.model.attributes);
this.template = _.template($('#response-comment-edit-template').html());
this.$el.html(this.template(context));
this.template = edx.HtmlUtils.template($('#response-comment-edit-template').html());
edx.HtmlUtils.setHtml(
this.$el,
this.template(context)
);
this.delegateEvents();
DiscussionUtil.makeWmdEditor(this.$el, $.proxy(this.$, this), 'edit-comment-body');
return this;
Expand Down
7 changes: 5 additions & 2 deletions common/static/common/js/discussion/views/thread_response_edit_view.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,11 @@
ThreadResponseEditView.prototype.render = function() {
var context = $.extend({mode: this.options.mode, startHeader: this.options.startHeader},
this.model.attributes);
this.template = _.template($('#thread-response-edit-template').html());
this.$el.html(this.template(context));
this.template = edx.HtmlUtils.template($('#thread-response-edit-template').html());
edx.HtmlUtils.setHtml(
this.$el,
this.template(context)
);
this.delegateEvents();
DiscussionUtil.makeWmdEditor(this.$el, $.proxy(this.$, this), 'edit-post-body');
return this;
Expand Down
8 changes: 4 additions & 4 deletions common/templates/admin/student/loginfailures/change_form_template.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@
<div class="submit-row">
{% if original.lockout_until %}
<input type="submit"
value="{% trans "Unlock Account" %}"
value="{% trans "Unlock Account" as tmsg %}{{tmsg|force_escape}}"
name="_unlock"
class="deletelink">
{% endif %}
<a href="{% url opts|admin_urlname:'changelist' %}"
class="closelink">
{% trans 'Close' %}
{% trans 'Close' as tmsg %}{{tmsg|force_escape}}
</a>
</div>
{% endblock %}
Expand All @@ -19,14 +19,14 @@
{% if original.lockout_until %}
<p class="deletelink-box">
<input type="submit"
value="{% trans "Unlock Account" %}"
value="{% trans "Unlock Account" as tmsg %}{{tmsg|force_escape}}"
name="_unlock"
class="deletelink">
</p>
{% endif %}
<a href="{% url opts|admin_urlname:'changelist' %}"
class="closelink">
{% trans 'Close' %}
{% trans 'Close' as tmsg %}{{tmsg|force_escape}}
</a>
</div>
{% endblock %}
23 changes: 13 additions & 10 deletions lms/djangoapps/support/static/support/js/views/enrollment.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,9 @@
'moment',
'support/js/views/enrollment_modal',
'support/js/collections/enrollment',
'text!support/templates/enrollment.underscore'
], function(Backbone, _, moment, EnrollmentModal, EnrollmentCollection, enrollmentTemplate) {
'text!support/templates/enrollment.underscore',
'edx-ui-toolkit/js/utils/html-utils'
], function(Backbone, _, moment, EnrollmentModal, EnrollmentCollection, enrollmentTemplate, HtmlUtils) {
return Backbone.View.extend({

ENROLLMENT_CHANGE_REASONS: {
Expand All @@ -35,14 +36,16 @@

render: function() {
var user = this.enrollments.user;
this.$el.html(_.template(enrollmentTemplate)({
user: user,
enrollments: this.enrollments,
formatDate: function(date) {
return date ? moment.utc(date).format('lll z') : 'N/A';
}
}));

HtmlUtils.setHtml(
this.$el,
HtmlUtils.template(enrollmentTemplate)({
user: user,
enrollments: this.enrollments,
formatDate: function(date) {
return date ? moment.utc(date).format('lll z') : 'N/A';
}
})
);
this.checkInitialSearch();
return this;
},
Expand Down
14 changes: 8 additions & 6 deletions lms/static/js/certificates/views/certificate_whitelist_editor.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,10 @@
'underscore',
'gettext',
'backbone',
'js/certificates/models/certificate_exception'
'js/certificates/models/certificate_exception',
'edx-ui-toolkit/js/utils/html-utils'
],
function($, _, gettext, Backbone, CertificateExceptionModel) {
function($, _, gettext, Backbone, CertificateExceptionModel, HtmlUtils) {
return Backbone.View.extend({
el: '#certificate-white-list-editor',
message_div: '.message',
Expand All @@ -21,7 +22,7 @@

render: function() {
var template = this.loadTemplate('certificate-white-list-editor');
this.$el.html(template());
this.$el.html(HtmlUtils.HTML(template()).toString());
},

loadTemplate: function(name) {
Expand Down Expand Up @@ -59,12 +60,12 @@
var message = '';

if (this.collection.findWhere(model)) {
message = gettext('<%= user %> already in exception list.');
message = gettext('<%- user %> already in exception list.');
this.escapeAndShowMessage(
_.template(message)({user: (user_name || user_email)})
);
} else if (certificate_exception.isValid()) {
message = gettext('<%= user %> has been successfully added to the exception list. Click Generate Exception Certificate below to send the certificate.'); // eslint-disable-line max-len
message = gettext('<%- user %> has been successfully added to the exception list. Click Generate Exception Certificate below to send the certificate.'); // eslint-disable-line max-len
certificate_exception.save(
null,
{
Expand All @@ -88,7 +89,8 @@

escapeAndShowMessage: function(message) {
$(this.message_div + '>p').remove();
this.$(this.message_div).removeClass('hidden').append('<p>' + _.escape(message) + '</p>');
// eslint-disable-next-line max-len
this.$(this.message_div).removeClass('hidden').append(HtmlUtils.joinHtml(HtmlUtils.HTML('<p>'), message, HtmlUtils.HTML('</p>')).toString());
},

showSuccess: function(caller, add_model, message) {
Expand Down
36 changes: 25 additions & 11 deletions lms/static/js/edxnotes/views/shim.js
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
(function(define, undefined) {
'use strict';
define([
'jquery', 'underscore', 'annotator_1.2.9', 'js/edxnotes/utils/utils'
], function($, _, Annotator, Utils) {
'jquery', 'underscore', 'annotator_1.2.9', 'js/edxnotes/utils/utils', 'edx-ui-toolkit/js/utils/html-utils'
], function($, _, Annotator, Utils, HtmlUtils) {
var _t = Annotator._t;

/**
Expand Down Expand Up @@ -48,9 +48,15 @@
// It depends on the number of annotatable components on the page.
var tagsField = $('li.annotator-item >input', this.annotator.editor.element).attr('id');
if ($("label.sr[for='" + tagsField + "']", this.annotator.editor.element).length === 0) {
$('<label class="sr" for=' + tagsField + '>' + _t('Tags (space-separated)') + '</label>').insertBefore(
$('#' + tagsField, this.annotator.editor.element)
);
HtmlUtils.prepend(
$('#' + tagsField, this.annotator.editor.element),
$(HtmlUtils.joinHtml(
HtmlUtils.HTML('<label class="sr" for='),
tagsField,
HtmlUtils.HTML('>'),
_t('Tags (space-separated)'),
HtmlUtils.HTML('</label>')
)));
}
return this;
},
Expand Down Expand Up @@ -159,14 +165,15 @@
.addField({
load: function(field, annotation) {
if (annotation.text) {
$(field).html(Utils.nl2br(Annotator.Util.escape(annotation.text)));
$(field).html(HtmlUtils.HTML(Utils.nl2br(annotation.text)).toString());
} else {
$(field).html('<i>' + _t('No Comment') + '</i>');
// eslint-disable-next-line max-len
$(field).html(HtmlUtils.joinHtml(HtmlUtils.HTML('<i>'), _t('No Comment'), HtmlUtils.HTML('</i>')).toString());
}
return self.publish('annotationViewerTextField', [field, annotation]);
}
})
.element.appendTo(this.wrapper).bind({
.element.appendTo(this.wrapper).bind({ // xss-lint: disable=javascript-jquery-insert-into-target
mouseover: this.clearViewerHideTimer,
mouseout: this.startViewerHideTimer
});
Expand Down Expand Up @@ -210,9 +217,15 @@
// It depends on the number of annotatable components on the page.
var noteField = $('li.annotator-item >textarea', this.element).attr('id');
if ($("label.sr[for='" + noteField + "']", this.element).length === 0) {
$('<label class="sr" for=' + noteField + '>' + _t('Note') + '</label>').insertBefore(
$('#' + noteField, this.element)
);
HtmlUtils.prepend(
$('#' + noteField, this.element),
$(HtmlUtils.joinHtml(
HtmlUtils.HTML('<label class="sr" for='),
noteField,
HtmlUtils.HTML('>'),
_t('Note'),
HtmlUtils.HTML('</label>')
)));
}

if (event.type === 'keydown') {
Expand All @@ -234,6 +247,7 @@
* Modifies Annotator.onHighlightMouseover to avoid showing the viewer if the
* editor is opened.
**/
// xss-lint: disable=javascript-jquery-insertion
Annotator.prototype.onHighlightMouseover = _.wrap(
Annotator.prototype.onHighlightMouseover,
function(func, event) {
Expand Down
10 changes: 5 additions & 5 deletions lms/static/js/edxnotes/views/tabs/search_results.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
'use strict';
define([
'jquery', 'underscore', 'gettext', 'js/edxnotes/views/tab_panel', 'js/edxnotes/views/tab_view',
'js/edxnotes/views/search_box'
], function($, _, gettext, TabPanelView, TabView, SearchBoxView) {
'js/edxnotes/views/search_box', 'edx-ui-toolkit/js/utils/html-utils', 'edx-ui-toolkit/js/utils/string-utils'
], function($, _, gettext, TabPanelView, TabView, SearchBoxView, HtmlUtils, StringUtils) {
var view = 'Search Results';
var SearchResultsView = TabView.extend({
PanelConstructor: TabPanelView.extend({
Expand All @@ -16,7 +16,7 @@
].join(' ');
},
renderContent: function() {
this.$el.append(this.getNotes(this.collection.toArray()));
this.$el.append(HtmlUtils.HTML(this.getNotes(this.collection.toArray())).toString());
return this;
}
}),
Expand All @@ -31,10 +31,10 @@
].join(' ');
},
renderContent: function() {
var message = gettext('No results found for "%(query_string)s". Please try searching again.');
var message = gettext('No results found for "{query_string}". Please try searching again.');

this.$el.append($('<p />', {
text: interpolate(message, {
text: StringUtils.interpolate(message, {
query_string: this.options.searchQuery
}, true)
}));
Expand Down
24 changes: 18 additions & 6 deletions lms/static/js/financial-assistance/views/financial_assistance_form_view.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
'text!../../../templates/financial-assistance/financial_assessment_form.underscore',
'text!../../../templates/financial-assistance/financial_assessment_submitted.underscore',
'text!templates/student_account/form_field.underscore',
'edx-ui-toolkit/js/utils/html-utils',
'string_utils'
],
function(
Expand All @@ -21,7 +22,8 @@
FormView,
formViewTpl,
successTpl,
formFieldTpl
formFieldTpl,
HtmlUtils
) {
return FormView.extend({
el: '.financial-assistance-wrapper',
Expand Down Expand Up @@ -74,7 +76,7 @@
fields: html || ''
});

this.$el.html(_.template(this.tpl)(data));
HtmlUtils.setHtml(this.$el, HtmlUtils.template(this.tpl)(data));

this.postRender();
this.validateCountry();
Expand All @@ -83,7 +85,7 @@
},

renderSuccess: function() {
this.$el.html(_.template(this.successTpl)({
HtmlUtils.setHtml(this.$el, HtmlUtils.template(this.successTpl)({
course: this.model.get('course'),
dashboard_url: this.context.dashboard_url
}));
Expand All @@ -103,7 +105,9 @@
msg = gettext('An error has occurred. Check your Internet connection and try again.');
}

this.errors = ['<li>' + msg + '</li>'];
this.errors = [HtmlUtils.joinHtml(
HtmlUtils.HTML('<li>'), msg, HtmlUtils.HTML('</li>')
).toString()];
this.renderErrors(this.defaultFormErrorsTitle, this.errors);
this.toggleDisableButton(false);
},
Expand All @@ -122,14 +126,22 @@
// Translators: link_start and link_end denote the html to link back to the profile page.
gettext(txt.join('')),
{
link_start: '<a href="' + this.context.account_settings_url + '">',
link_start: HtmlUtils.joinHtml(
HtmlUtils.HTML('<a href="'),
this.context.account_settings_url,
HtmlUtils.HTML('">')
).toString(),
link_end: '</a>'
}
);

if (!this.model.get('country')) {
$countryLabel.addClass('error');
this.renderErrors(this.defaultFormErrorsTitle, ['<li>' + msg + '</li>']);
this.renderErrors(this.defaultFormErrorsTitle, [HtmlUtils.joinHtml(
HtmlUtils.HTML('<li>'),
msg,
HtmlUtils.HTML('</li>')
).toString()]);
this.toggleDisableButton(true);
}
},
Expand Down
Loading

0 comments on commit 9f92605

Please sign in to comment.