Merge pull request #182 from edx/aehsan/fix_xss_linting_issues

fixed xss linting issues

Merge pull request #182 from edx/aehsan/fix_xss_linting_issues
fixed xss linting issues
cb8556bf · Waheed Ahmed · GitHub · 39639fef · c127706e · cb8556bf
Unverified Commit cb8556bf authored 4 years ago by Waheed Ahmed Committed by GitHub 4 years ago
--- a/cms/static/js/spec/views/module_edit_spec.js
+++ b/cms/static/js/spec/views/module_edit_spec.js
@@ -213,11 +213,11 @@ describe('ModuleEdit', function() {
                return expect(this.moduleEdit.delegateEvents).toHaveBeenCalled();
            });
            it('loads inline css from fragments', function() {
-                var args = "<style type='text/css'>inline-css</style>";
+                var args = '<style type="text/css">inline-css</style>';
                return expect($('head').append).toHaveBeenCalledWith(args);
            });
            it('loads css urls from fragments', function() {
-                var args = "<link rel='stylesheet' href='css-url' type='text/css'>";
+                var args = '<link rel="stylesheet" href="css-url" type="text/css">';
                return expect($('head').append).toHaveBeenCalledWith(args);
            });
            it('loads inline js from fragments', function() {

--- a/cms/static/js/views/xblock.js
+++ b/cms/static/js/views/xblock.js
-define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/views/baseview', 'xblock/runtime.v1'],
-    function($, _, ViewUtils, BaseView, XBlock) {
+define(['jquery',
+    'underscore',
+    'common/js/components/utils/view_utils',
+    'js/views/baseview',
+    'xblock/runtime.v1',
+    'edx-ui-toolkit/js/utils/html-utils'],
+    function($, _, ViewUtils, BaseView, XBlock, HtmlUtils) {
        'use strict';

        var XBlockView = BaseView.extend({
@@ -157,7 +162,7 @@ define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/vie
             * @param html The desired HTML.
             */
            updateHtml: function(element, html) {
-                element.html(html);
+                HtmlUtils.setHtml(element, HtmlUtils.HTML(html));
            },

            /**
@@ -214,19 +219,22 @@ define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/vie
                    data = resource.data;
                if (mimetype === 'text/css') {
                    if (kind === 'text') {
-                        $head.append("<style type='text/css'>" + data + '</style>');
+                        // xss-lint: disable=javascript-jquery-append,javascript-concat-html
+                        $head.append('<style type="text/css">' + data + '</style>');
                    } else if (kind === 'url') {
-                        $head.append("<link rel='stylesheet' href='" + data + "' type='text/css'>");
+                        // xss-lint: disable=javascript-jquery-append,javascript-concat-html
+                        $head.append('<link rel="stylesheet" href="' + data + '" type="text/css">');
                    }
                } else if (mimetype === 'application/javascript') {
                    if (kind === 'text') {
+                        // xss-lint: disable=javascript-jquery-append,javascript-concat-html
                        $head.append('<script>' + data + '</script>');
                    } else if (kind === 'url') {
                        return ViewUtils.loadJavaScript(data);
                    }
                } else if (mimetype === 'text/html') {
                    if (placement === 'head') {
-                        $head.append(data);
+                        HtmlUtils.append($head, HtmlUtils.HTML(data));
                    }
                }
                // Return an already resolved promise for synchronous updates

--- a/cms/templates/component.html
+++ b/cms/templates/component.html
@@ -37,4 +37,4 @@
    </ul>
 </div>
 <span data-tooltip="${_("Drag to reorder")}" class="drag-handle action"></span>
-${preview | n}
+${preview | n, decode.utf8}