From 2926c94330491cbaa3232b7c76d197453ffba069 Mon Sep 17 00:00:00 2001
From: Diana Huang <dkh@edx.org>
Date: Mon, 22 Jul 2013 14:20:18 -0400
Subject: [PATCH 1/2] Prevent XSS attack via submission_history page.

Conflicts:
	lms/djangoapps/courseware/tests/test_views.py
---
 lms/djangoapps/courseware/tests/test_views.py | 26 +++++++++++++++++++
 lms/djangoapps/courseware/views.py            | 12 ++++-----
 .../courseware/submission_history.html        |  2 +-
 3 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/lms/djangoapps/courseware/tests/test_views.py b/lms/djangoapps/courseware/tests/test_views.py
index a5efe744a8..879967419a 100644
--- a/lms/djangoapps/courseware/tests/test_views.py
+++ b/lms/djangoapps/courseware/tests/test_views.py
@@ -6,8 +6,10 @@ from django.http import Http404
 from django.test.utils import override_settings
 from django.contrib.auth.models import User
 from django.test.client import RequestFactory
+from django.core.urlresolvers import reverse
 
 from student.models import CourseEnrollment
+from student.tests.factories import AdminFactory
 from xmodule.modulestore.django import modulestore
 
 import courseware.views as views
@@ -124,3 +126,27 @@ class ViewsTestCase(TestCase):
             self.assertContains(result, expected_end_text)
         else:
             self.assertNotContains(result, "Classes End")
+
+    def test_submission_history_xss(self):
+        # log into a staff account
+        admin = AdminFactory()
+
+        self.client.login(username=admin.username, password='test')
+
+        # try it with an existing user and a malicious location
+        url = reverse('submission_history', kwargs={
+            'course_id': self.course_id,
+            'student_username': 'dummy',
+            'location': '<script>alert("hello");</script>'
+        })
+        response = self.client.get(url)
+        self.assertFalse('<script>' in response.content)
+
+        # try it with a malicious user and a non-existent location
+        url = reverse('submission_history', kwargs={
+            'course_id': self.course_id,
+            'student_username': '<script>alert("hello");</script>',
+            'location': 'dummy'
+        })
+        response = self.client.get(url)
+        self.assertFalse('<script>' in response.content)
diff --git a/lms/djangoapps/courseware/views.py b/lms/djangoapps/courseware/views.py
index 9c5a665754..4cc8b6a43b 100644
--- a/lms/djangoapps/courseware/views.py
+++ b/lms/djangoapps/courseware/views.py
@@ -14,6 +14,7 @@ from django.shortcuts import redirect
 from mitxmako.shortcuts import render_to_response, render_to_string
 from django_future.csrf import ensure_csrf_cookie
 from django.views.decorators.cache import cache_control
+from markupsafe import escape
 
 from courseware import grades
 from courseware.access import has_access
@@ -709,19 +710,16 @@ def submission_history(request, course_id, student_username, location):
                                                    module_state_key=location,
                                                    student_id=student.id)
     except User.DoesNotExist:
-        return HttpResponse("User {0} does not exist.".format(student_username))
+        return HttpResponse(escape("User {0} does not exist.".format(student_username)))
     except StudentModule.DoesNotExist:
-        return HttpResponse("{0} has never accessed problem {1}"
-                            .format(student_username, location))
+        return HttpResponse(escape("{0} has never accessed problem {1}".format(student_username, location)))
 
-    history_entries = StudentModuleHistory.objects \
-                      .filter(student_module=student_module).order_by('-id')
+    history_entries = StudentModuleHistory.objects.filter(student_module=student_module).order_by('-id')
 
     # If no history records exist, let's force a save to get history started.
     if not history_entries:
         student_module.save()
-        history_entries = StudentModuleHistory.objects \
-                          .filter(student_module=student_module).order_by('-id')
+        history_entries = StudentModuleHistory.objects.filter(student_module=student_module).order_by('-id')
 
     context = {
         'history_entries': history_entries,
diff --git a/lms/templates/courseware/submission_history.html b/lms/templates/courseware/submission_history.html
index 683c61c5a0..b4ce5ed2a6 100644
--- a/lms/templates/courseware/submission_history.html
+++ b/lms/templates/courseware/submission_history.html
@@ -1,5 +1,5 @@
 <% import json  %>
-<h3>${username} > ${course_id} > ${location}</h3>
+<h3>${username | h} > ${course_id | h} > ${location | h}</h3>
 
 % for i, entry in enumerate(history_entries):
 <hr/>

From 31e1b0e5e9a92d6724edd85e872fb16e0e620df0 Mon Sep 17 00:00:00 2001
From: Brian Talbot <btalbot@edx.org>
Date: Mon, 22 Jul 2013 09:45:08 -0400
Subject: [PATCH 2/2] Studio: revises spacing fix for welcome to edX studio
 title

Conflicts:
	cms/templates/howitworks.html
---
 cms/static/sass/views/_index.scss | 5 +++++
 cms/templates/howitworks.html     | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/cms/static/sass/views/_index.scss b/cms/static/sass/views/_index.scss
index ddb2ecce89..d571949cba 100644
--- a/cms/static/sass/views/_index.scss
+++ b/cms/static/sass/views/_index.scss
@@ -71,8 +71,13 @@ body.index {
         color: $white;
       }
 
+      .wrapper-text-welcome, .logo {
+        display: inline-block;
+      }
+
       .logo {
         font-weight: 600;
+        margin-left: ($baseline/2);
       }
 
       .tagline {
diff --git a/cms/templates/howitworks.html b/cms/templates/howitworks.html
index a791f5d1fa..e3a92aa345 100644
--- a/cms/templates/howitworks.html
+++ b/cms/templates/howitworks.html
@@ -11,7 +11,7 @@
   <section class="content content-header">
     <header>
       ## "edX Studio" should not be translated
-      <h1>${_('Welcome to')}<span class="logo">edX Studio</span></h1>
+      <h1><span class="wrapper-text-welcome">${_('Welcome to')}</span><span class="logo">edX Studio</span></h1>
       <p class="tagline">${_("Studio helps manage your courses online, so you can focus on teaching them")}</p>
     </header>
   </section>