Merge pull request #226 from edx/im-security-13

Incident Management Security Fix 13

Merge pull request #226 from edx/im-security-13
Incident Management Security Fix 13
2136cde7 · Azan Bin Zahid · GitHub · 4cb4be6a · 5e466bc7 · 2136cde7
Unverified Commit 2136cde7 authored 3 years ago by Azan Bin Zahid Committed by GitHub 3 years ago
--- a/common/djangoapps/third_party_auth/templates/third_party_auth/post_custom_auth_entry.html
+++ b/common/djangoapps/third_party_auth/templates/third_party_auth/post_custom_auth_entry.html
@@ -2,7 +2,7 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
-    <title>{% trans "Please wait" %}</title>
+    <title>{% trans "Please wait" as tmsg %}{{tmsg|force_escape}}</title>
    <style type="text/css">
    #djDebug {display:none;}
    </style>

--- a/common/lib/xmodule/xmodule/js/src/collapsible.js
+++ b/common/lib/xmodule/xmodule/js/src/collapsible.js
@@ -29,7 +29,7 @@

        // Standard longform + shortfom pattern.
        el.find('.longform').hide();
-        el.find('.shortform').append(linkTop, linkBottom);
+        el.find('.shortform').append(linkTop, linkBottom); // xss-lint: disable=javascript-jquery-append

        // Custom longform + shortform text pattern.
        short_custom = el.find('.shortform-custom');
@@ -40,7 +40,14 @@

            open_text = $(elt).data('open-text');
            close_text = $(elt).data('close-text');
-            $(elt).append("<a href='#' class='full-custom'>" + open_text + '</a>');
+            edx.HtmlUtils.append(
+                $(elt),
+                edx.HtmlUtils.joinHtml(
+                    edx.HtmlUtils.HTML("<a href='#' class='full-custom'>"),
+                    gettext(open_text),
+                    edx.HtmlUtils.HTML('</a>')
+                )
+            );

            $(elt).find('.full-custom').click(function(event) {
                Collapsible.toggleFull(event, open_text, close_text);

--- a/lms/static/js/api_admin/views/catalog_preview.js
+++ b/lms/static/js/api_admin/views/catalog_preview.js
@@ -6,8 +6,9 @@
        'underscore',
        'gettext',
        'text!../../../templates/api_admin/catalog-results.underscore',
-        'text!../../../templates/api_admin/catalog-error.underscore'
-    ], function(Backbone, _, gettext, catalogResultsTpl, catalogErrorTpl) {
+        'text!../../../templates/api_admin/catalog-error.underscore',
+        'edx-ui-toolkit/js/utils/html-utils'
+    ], function(Backbone, _, gettext, catalogResultsTpl, catalogErrorTpl, HtmlUtils) {
        return Backbone.View.extend({

            events: {
@@ -20,9 +21,8 @@
            },

            render: function() {
-                this.$('#id_query').after(
-                    '<button class="preview-query">' + gettext('Preview this query') + '</button>'
-                );
+                // eslint-disable-next-line
+                this.$('#id_query').after(HtmlUtils.joinHtml(HtmlUtils.HTML('<button class="preview-query">'), gettext('Preview this query'), HtmlUtils.HTML('</button>')).toString());
                return this;
            },

@@ -44,7 +44,10 @@
                    method: 'GET',
                    success: _.bind(this.renderCourses, this),
                    error: _.bind(function() {
-                        this.$('.preview-results').html(_.template(catalogErrorTpl)({}));
+                        HtmlUtils.setHtml(
+                            this.$('.preview-results'),
+                            HtmlUtils.template(catalogErrorTpl)({})
+                        );
                    }, this)
                });
            },
@@ -54,10 +57,13 @@
             * courses API.
             */
            renderCourses: function(data) {
-                this.$('.preview-results').html(_.template(catalogResultsTpl)({
-                    courses: data.results,
-                    catalogApiUrl: this.catalogApiUrl
-                }));
+                HtmlUtils.setHtml(
+                    this.$('.preview-results'),
+                    HtmlUtils.template(catalogResultsTpl)({
+                        courses: data.results,
+                        catalogApiUrl: this.catalogApiUrl
+                    })
+                );
            }
        });
    });

--- a/lms/static/js/discovery/views/filter_bar.js
+++ b/lms/static/js/discovery/views/filter_bar.js
@@ -5,8 +5,9 @@
        'backbone',
        'gettext',
        'js/discovery/models/filter',
-        'js/discovery/views/filter_label'
-    ], function($, _, Backbone, gettext, Filter, FilterLabel) {
+        'js/discovery/views/filter_label',
+        'edx-ui-toolkit/js/utils/html-utils'
+    ], function($, _, Backbone, gettext, Filter, FilterLabel, HtmlUtils) {
        'use strict';

        return Backbone.View.extend({
@@ -20,7 +21,7 @@
            },

            initialize: function() {
-                this.tpl = _.template($(this.templateId).html());
+                this.tpl = HtmlUtils.template($(this.templateId).html());
                this.render();
                this.listenTo(this.collection, 'remove', this.hideIfEmpty);
                this.listenTo(this.collection, 'add', this.addFilter);
@@ -28,7 +29,10 @@
            },

            render: function() {
-                this.$el.html(this.tpl());
+                HtmlUtils.setHtml(
+                    this.$el,
+                    this.tpl()
+                );
                this.$ul = this.$el.find('ul');
                this.$el.addClass('is-animated');
                return this;