Merge pull request #202 from edx/sustaining/security-fixes-5

Sustaining/security fixes 5

Merge pull request #202 from edx/sustaining/security-fixes-5
Sustaining/security fixes 5
f87e1d26 · Ali Akbar · GitHub · e6377043 · 893a01f1 · f87e1d26
Unverified Commit f87e1d26 authored 4 years ago by Ali Akbar Committed by GitHub 4 years ago
--- a/lms/templates/ccx/coach_dashboard.html
+++ b/lms/templates/ccx/coach_dashboard.html
@@ -129,8 +129,9 @@ from openedx.core.djangolib.js_utils import (
          studentId = $('<input />', {
            type: 'hidden',
            name: 'student-id',
-            value: selectedStudent
+            value: edx.HtmlUtils.ensureHtml(selectedStudent)
          });
+          // xss-lint: disable=javascript-jquery-append
          form.append(action, studentId).submit();
        }
    });
@@ -153,7 +154,7 @@ from openedx.core.djangolib.js_utils import (
      $errorMessage.show();
      return false;
    } else if (hasCcxConnector) {
-      $errorMessage.html('${use_ccx_con_error_message | n, js_escaped_string}');
+      $errorMessage.text('${use_ccx_con_error_message | n, js_escaped_string}');
      $errorMessage.show();
      return false;
    }

--- a/lms/templates/components/card/card.underscore
+++ b/lms/templates/components/card/card.underscore
@@ -6,7 +6,7 @@
        <% } %>
        <h3 class="card-title"
            <% if (!_.isUndefined(srInfo)) { %>
-                aria-describedby="<%= srInfo.id %>"
+                aria-describedby="<%- srInfo.id %>"
            <% } %>
            ><%- title %>
        </h3>
@@ -17,7 +17,8 @@
    <div class="card-meta">
    </div>
    <div class="card-actions">
-        <a class="action <%= action_class %>" href="<%= action_url %>"><%= action_content %></a>
+        <% // xss-lint: disable=underscore-not-escaped %>
+        <a class="action <%- action_class %>" href="<%- action_url %>"><%= action_content %></a>
    </div>
 </div>
 <% } else { %>
@@ -28,14 +29,15 @@
        <% } %>
        <h3 class="card-title"
            <% if (!_.isUndefined(srInfo)) { %>
-                aria-describedby="<%= srInfo.id %>"
+                aria-describedby="<%- srInfo.id %>"
            <% } %>
            ><%- title %>
        </h3>
        <p class="card-description"><%- description %></p>
    </div>
    <div class="card-actions">
-        <a class="action <%= action_class %>" href="<%= action_url %>"><%= action_content %></a>
+        <% // xss-lint: disable=underscore-not-escaped %>
+        <a class="action <%- action_class %>" href="<%- action_url %>"><%= action_content %></a>
    </div>
 </div>
 <div class="wrapper-card-meta">

--- a/lms/templates/edxnotes/note-item.underscore
+++ b/lms/templates/edxnotes/note-item.underscore
@@ -18,6 +18,7 @@
        <li class="note-comment">
            <p class="note-comment-title"><%- gettext("You commented...") %></p>
            <p class="note-comment-p">
+                <% // xss-lint: disable=underscore-not-escaped %>
                <%= interpolate_text(_.escape(text), {
                    elasticsearch_highlight_start: '<span class="note-highlight">',
                    elasticsearch_highlight_end: '</span>'
@@ -32,7 +33,7 @@
    <div class="wrapper-reference-content">
        <p class="reference-title"><%- gettext("Noted in:") %></p>
        <% if (unit.url) { %>
-          <a class="reference-meta reference-unit-link" href="<%= unit.url %>#<%= id %>"><%- unit.display_name %></a>
+          <a class="reference-meta reference-unit-link" href="<%- unit.url %>#<%- id %>"><%- unit.display_name %></a>
        <% } else { %>
          <span class="reference-meta"><%- unit.display_name %></span>
        <% } %>
@@ -44,6 +45,7 @@
            <p class="reference-title"><%- gettext("Tags:") %></p>
            <% for (var i = 0; i < tags.length; i++) { %>
                <span class="reference-meta reference-tags">
+                    <% // xss-lint: disable=underscore-not-escaped %>
                    <%= interpolate_text(_.escape(tags[i]), {
                        elasticsearch_highlight_start: '<span class="note-highlight">',
                        elasticsearch_highlight_end: '</span>'

--- a/lms/templates/edxnotes/tab-item.underscore
+++ b/lms/templates/edxnotes/tab-item.underscore
 <% var hasIcon = icon ? 1 : 0; %>

 <a class="tab-label <% if (hasIcon) { print('has-icon') } %>" href="#">
-  <% if (hasIcon) { %><span class="icon <%= icon %>" aria-hidden="true"></span> <% } %><%- gettext(name) %>
+  <% if (hasIcon) { %><span class="icon <%- icon %>" aria-hidden="true"></span> <% } %><%- gettext(name) %>
 </a>

 <% if (is_closable) { %>

--- a/lms/templates/fields/field_image.underscore
+++ b/lms/templates/fields/field_image.underscore
 <div class="image-wrapper">
-    <img class="image-frame" src="<%- imageUrl %>"  alt="<%=imageAltText%>"/>
+    <img class="image-frame" src="<%- imageUrl %>"  alt="<%-imageAltText%>"/>
    <div class="u-field-actions">
        <label class="u-field-upload-button">
+            <% // xss-lint: disable=underscore-not-escaped %>
            <span class="upload-button-icon" aria-hidden="true"><%= uploadButtonIcon %></span>
-            <span class="upload-button-title" aria-live="polite"><%= uploadButtonTitle %></span>
-            <input class="upload-button-input" type="file" name="<%= inputName %>"/>
+            <span class="upload-button-title" aria-live="polite"><%- uploadButtonTitle %></span>
+            <input class="upload-button-input" type="file" name="<%- inputName %>"/>
       	</label>
-       	<button class="upload-submit" type="button" hidden="true"><%= uploadButtonTitle %></button>
+       	<button class="upload-submit" type="button" hidden="true"><%- uploadButtonTitle %></button>
        <button class="u-field-remove-button" type="button">
+            <% // xss-lint: disable=underscore-not-escaped %>
            <span class="remove-button-icon" aria-hidden="true"><%= removeButtonIcon %></span>
-            <span class="remove-button-title" aria-live="polite"><%= removeButtonTitle %></span>
-            <span class="sr"><%= screenReaderTitle %></span>
+            <span class="remove-button-title" aria-live="polite"><%- removeButtonTitle %></span>
+            <span class="sr"><%- screenReaderTitle %></span>
        </button>
    </div>
 </div>
--- a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore
+++ b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore
@@ -12,7 +12,7 @@
            <td> <%- is_registration_code_valid %> </td>
            <td>
                <% _.each(actions, function(action){ %>
-                    <a class="registration_code_action_link" data-registration-code="<%= action.registration_code %>" data-action-type="<%= action.action_type %>" href="#" data-endpoint="<%= action.action_url %>">
+                    <a class="registration_code_action_link" data-registration-code="<%- action.registration_code %>" data-action-type="<%- action.action_type %>" href="#" data-endpoint="<%- action.action_url %>">
                        <%- action.action_name %>
                    </a>
                <% }); %>

--- a/lms/templates/learner_dashboard/program_card.underscore
+++ b/lms/templates/learner_dashboard/program_card.underscore
@@ -57,7 +57,7 @@
            <source srcset="<%- smallBannerUrl %>" media="(max-width: <%- breakpoints.max.small %>)">
            <source srcset="<%- mediumBannerUrl %>" media="(max-width: <%- breakpoints.max.medium %>)">
            <source srcset="<%- xsmallBannerUrl %>" media="(max-width: <%- breakpoints.max.large %>)">
-            <img class="banner-image" srcset="<%- smallBannerUrl %>" alt="<%= interpolate(gettext('%(programName)s Home Page.'), {programName: title}, true)%>">
+            <img class="banner-image" srcset="<%- smallBannerUrl %>" alt="<%- interpolate(gettext('%(programName)s Home Page.'), {programName: title}, true)%>">
        </picture>
    </div>
 </a>
--- a/lms/templates/video.html
+++ b/lms/templates/video.html
@@ -2,7 +2,9 @@

 <%!
 from django.utils.translation import ugettext as _
-from openedx.core.djangolib.js_utils import js_escaped_string
+from openedx.core.djangolib.js_utils import (
+    dump_js_escaped_json, js_escaped_string
+)
 %>
 % if display_name is not UNDEFINED and display_name is not None:
    <h3 class="hd hd-2">${display_name}</h3>
@@ -98,14 +100,14 @@ from openedx.core.djangolib.js_utils import js_escaped_string
  var salt = Math.floor((1 + Math.random()) * 0x100000).toString(36);
  var id = "${id | n, js_escaped_string}";
  function initializeCDNExperiment() {
-    sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, "", "load");
+    sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, "", "load");
    cdnStartTime = Date.now();
    $.each(['loadstart', 'abort', 'error', 'stalled', 'loadedmetadata',
                    'loadeddata', 'canplay', 'canplaythrough', 'seeked'],
                    function(index, eventName) {
      $("#video_" + id).bind("html5:" + eventName, null, function() {
        timeElapsed = Date.now() - cdnStartTime;
-        sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, timeElapsed, eventName);
+        sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, timeElapsed, eventName);
      });
    });
  }