Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #213 from edx/IM/security-fixes-4

Browse Source 
Incident Management Security Fixes 4
This commit is contained in:
Ali Akbar
2021-01-08 21:46:05 +05:00
committed by GitHub
parent 180227d6b1 a5982c7e09
commit 0e2d12fc7c
12 changed files with 105 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
common/lib/xmodule/xmodule/backcompat_module.py
View File

@@ -9,6 +9,8 @@ from functools import wraps
from lxml import etree
from openedx.core.djangolib.markup import Text
from .x_module import XModuleDescriptor
log = logging.getLogger(__name__)
@@ -74,8 +76,8 @@ class SemanticSectionDescriptor(XModuleDescriptor):
the child element
"""
xml_object = etree.fromstring(xml_data)
system.error_tracker("WARNING: the <{0}> tag is deprecated. Please do not use in new content."
.format(xml_object.tag))
system.error_tracker(Text("WARNING: the <{tag}> tag is deprecated. Please do not use in new content.")
.format(tag=xml_object.tag))
if len(xml_object) == 1:
for (key, val) in xml_object.items():
@@ -98,8 +100,8 @@ class TranslateCustomTagDescriptor(XModuleDescriptor):
"""
xml_object = etree.fromstring(xml_data)
system.error_tracker('WARNING: the <{tag}> tag is deprecated. '
'Instead, use <customtag impl="{tag}" attr1="..." attr2="..."/>. '
system.error_tracker(Text('WARNING: the <{tag}> tag is deprecated. '
'Instead, use <customtag impl="{tag}" attr1="..." attr2="..."/>. ')
.format(tag=xml_object.tag))
tag = xml_object.tag

16
common/lib/xmodule/xmodule/js/fixtures/imageinput.underscore
View File

@@ -2,24 +2,24 @@
<!-- ${width} = 300 -->
<!-- ${height} = 400 -->
<div class="imageinput capa_inputtype" id="inputtype_<%=id%>">
<div class="imageinput capa_inputtype" id="inputtype_<%-id%>">
<input
type="hidden"
class="imageinput"
src=""
name="input_<%=id%>"
id="input_<%=id%>"
name="input_<%-id%>"
id="input_<%-id%>"
value=""
/>
<div style="position:relative;">
<div
id="imageinput_<%=id%>"
style="width: <%=width%>px; height: <%=height%>px; position: relative; left: 0; top: 0; visibility: hidden;"
id="imageinput_<%-id%>"
style="width: <%-width%>px; height: <%-height%>px; position: relative; left: 0; top: 0; visibility: hidden;"
>
<!-- image will go here -->
</div>
<div id="answer_<%=id%>" data-width="100" data-height="100"></div>
<div id="answer_<%-id%>" data-width="100" data-height="100"></div>
</div>
@@ -27,8 +27,8 @@
<span
class="unanswered"
style="display: inline-block;"
id="status_<%=id%>"
aria-describedby="input_<%=id%>"
id="status_<%-id%>"
aria-describedby="input_<%-id%>"
>
<span class="sr">Status: unanswered</span>
</span>

2
common/lib/xmodule/xmodule/js/src/video/04_video_control.js
View File

@@ -154,7 +154,7 @@
var endTime = (this.config.endTime !== null) ? this.config.endTime : params.duration;
// in case endTime is accidentally specified as being greater than the video
endTime = Math.min(endTime, params.duration);
this.videoControl.vidTimeEl.html(Time.format(params.time) + ' / ' + Time.format(endTime));
this.videoControl.vidTimeEl.text(Time.format(params.time) + ' / ' + Time.format(endTime));
}
}
);

11
common/static/js/capa/chemical_equation_preview.js
View File

@@ -3,9 +3,16 @@
function create_handler(saved_div) {
return (function(response) {
if (response.error) {
saved_div.html("<span class='error'>" + response.error + '</span>');
edx.HtmlUtils.setHtml(
saved_div,
edx.HtmlUtils.joinHtml(
edx.HtmlUtils.HTML("<span class='error'>"),
response.error,
edx.HtmlUtils.HTML('</span>')
)
);
} else {
saved_div.html(response.preview);
saved_div.html(edx.HtmlUtils.HTML(response.preview).toString());
}
});
}

56
common/static/js/capa/drag_and_drop/targets.js
View File

@@ -1,5 +1,5 @@
(function(requirejs, require, define) {
define([], function() {
define(['edx-ui-toolkit/js/utils/html-utils'], function(HtmlUtils) {
return {
initializeBaseTargets: initializeBaseTargets,
initializeTargetField: initializeTargetField,
@@ -76,17 +76,19 @@
}
$targetEl = $(
'<div ' +
'style=" ' +
'display: block; ' +
'position: absolute; ' +
'width: ' + obj.w + 'px; ' +
'height: ' + obj.h + 'px; ' +
'top: ' + obj.y + 'px; ' +
'left: ' + obj.x + 'px; ' +
borderCss +
'" ' +
'aria-dropeffect=""></div>'
HtmlUtils.joinHtml(
HtmlUtils.HTML('<div style="display: block; position: absolute; width: '),
obj.w,
HtmlUtils.HTML('px; height: '),
obj.h,
HtmlUtils.HTML('px; top: '),
obj.y,
HtmlUtils.HTML('px; left: '),
obj.x,
HtmlUtils.HTML('px; '),
borderCss,
HtmlUtils.HTML('"aria-dropeffect=""></div>')
).toString()
);
if (fromTargetField === true) {
$targetEl.appendTo(draggableObj.iconEl);
@@ -100,23 +102,17 @@
if (state.config.onePerTarget === false) {
$numTextEl = $(
'<div ' +
'style=" ' +
'display: block; ' +
'position: absolute; ' +
'width: 24px; ' +
'height: 24px; ' +
'top: ' + obj.y + 'px; ' +
'left: ' + (obj.x + obj.w - 24) + 'px; ' +
'border: 1px solid black; ' +
'text-align: center; ' +
'z-index: 500; ' +
'background-color: white; ' +
'font-size: 0.95em; ' +
'color: #009fe2; ' +
'" ' +
'>0</div>'
);
HtmlUtils.joinHtml(
HtmlUtils.HTML('<div style=" display: block; position: absolute;'),
HtmlUtils.HTML('width: 24px; height: 24px; top: '),
obj.y,
HtmlUtils.HTML('px; left: '),
obj.x,
obj.w - 24,
HtmlUtils.HTML('px; border: 1px solid black; text-align: center; z-index: 500;'),
HtmlUtils.HTML('background-color: white; font-size: 0.95em; color: #009fe2; ">0</div>')
).toString()
);
} else {
$numTextEl = null;
}
@@ -263,7 +259,7 @@
function updateNumTextEl() {
if (this.numTextEl !== null) {
this.numTextEl.html(this.draggableList.length);
this.numTextEl.text(this.draggableList.length);
}
}
}); // End-of: define([], function () {

47
lms/static/js/components/header/views/header.js
View File

@@ -3,26 +3,33 @@
*/
(function(define) {
'use strict';
define(['backbone', 'text!templates/components/header/header.underscore'],
function(Backbone, headerTemplate) {
var HeaderView = Backbone.View.extend({
initialize: function(options) {
this.template = _.template(headerTemplate);
this.headerActionsView = options.headerActionsView;
this.listenTo(this.model, 'change', this.render);
this.render();
},
define([
'backbone',
'text!templates/components/header/header.underscore',
'edx-ui-toolkit/js/utils/html-utils'
],
function(Backbone, headerTemplate, HtmlUtils) {
var HeaderView = Backbone.View.extend({
initialize: function(options) {
this.template = HtmlUtils.template(headerTemplate);
this.headerActionsView = options.headerActionsView;
this.listenTo(this.model, 'change', this.render);
this.render();
},
render: function() {
var json = this.model.attributes;
this.$el.html(this.template(json));
if (this.headerActionsView) {
this.headerActionsView.setElement(this.$('.page-header-secondary')).render();
}
return this;
}
});
render: function() {
var json = this.model.attributes;
HtmlUtils.setHtml(
this.$el,
this.template(json)
);
if (this.headerActionsView) {
this.headerActionsView.setElement(this.$('.page-header-secondary')).render();
}
return this;
}
});
return HeaderView;
});
return HeaderView;
});
}).call(this, define || RequireJS.define);

15
lms/static/js/course_survey.js
View File

@@ -23,22 +23,25 @@ $(function() {
var cancel_submit = false;
$inputs.each(function() {
var val, fieldLabel;
/* see if it is a required field and - if so - make sure user presented all information */
if (typeof $(this).attr('required') !== typeof undefined) {
var val = $(this).val();
val = $(this).val();
if (typeof(val) === 'string') {
if (val.trim().length === 0) {
var field_label = $(this).parent().find('label');
fieldLabel = $(this).parent().find('label');
$(this).parent().addClass('field-error');
$('.status.message.submission-error .message-copy').append("<li class='error-item'>" + field_label.text() + '</li>');
// eslint-disable-next-line max-len
$('.status.message.submission-error .message-copy').append(edx.HtmlUtils.joinHtml(edx.HtmlUtils.HTML("<li class='error-item'>"), fieldLabel.text(), edx.HtmlUtils.HTML('</li>')).toString());
cancel_submit = true;
}
} else if (typeof(val) === 'object') {
/* for SELECT statements */
if (val === null || val.length === 0 || val[0] === '') {
var field_label = $(this).parent().find('label');
fieldLabel = $(this).parent().find('label');
$(this).parent().addClass('field-error');
$('.status.message.submission-error .message-copy').append("<li class='error-item'>" + field_label.text() + '</li>');
// eslint-disable-next-line max-len
$('.status.message.submission-error .message-copy').append(edx.HtmlUtils.joinHtml(edx.HtmlUtils.HTML("<li class='error-item'>"), fieldLabel.text(), edx.HtmlUtils.HTML('</li>')).toString());
cancel_submit = true;
}
}
@@ -70,7 +73,7 @@ $(function() {
json = $.parseJSON(jqXHR.responseText);
$('.status.message.submission-error').addClass('is-shown').focus();
$('.status.message.submission-error .message-copy').
html(gettext('There has been an error processing your survey.')).
text(gettext('There has been an error processing your survey.')).
stop().
css('display', 'block');
});

4
lms/static/js/customwmd.js
View File

@@ -201,8 +201,8 @@ Mostly adapted from math.stackexchange.com: http://cdn.sstatic.net/js/mathjax-ed
.append($("<textarea>")
.addClass("wmd-input")
.attr("id", wmdInputId)
.html(initialText))
.append($wmdPreviewContainer); // xss-lint: disable=javascript-jquery-html
.html(initialText)) // xss-lint: disable=javascript-jquery-html
.append($wmdPreviewContainer);
$elem.append($wmdPanel);
}
converter = Markdown.getMathCompatibleConverter(postProcessor);

7
lms/static/js/edxnotes/views/tab_item.js
View File

@@ -1,7 +1,8 @@
(function(define, undefined) {
'use strict';
define(['gettext', 'underscore', 'jquery', 'backbone', 'js/edxnotes/utils/template'],
function(gettext, _, $, Backbone, templateUtils) {
define(['gettext', 'underscore',
'jquery', 'backbone', 'js/edxnotes/utils/template', 'edx-ui-toolkit/js/utils/html-utils'],
function(gettext, _, $, Backbone, templateUtils, HtmlUtils) {
var TabItemView = Backbone.View.extend({
tagName: 'li',
className: 'tab',
@@ -34,7 +35,7 @@ function(gettext, _, $, Backbone, templateUtils) {
render: function() {
var html = this.template(this.model.toJSON());
this.$el.html(html);
this.$el.html(HtmlUtils.HTML(html).toString());
return this;
},

12
lms/static/js/edxnotes/views/tab_panel.js
View File

@@ -1,13 +1,14 @@
(function(define, undefined) {
'use strict';
define(['gettext', 'underscore', 'backbone', 'js/edxnotes/views/note_item',
'common/js/components/views/paging_header', 'common/js/components/views/paging_footer'],
function(gettext, _, Backbone, NoteItemView, PagingHeaderView, PagingFooterView) {
'common/js/components/views/paging_header', 'common/js/components/views/paging_footer',
'edx-ui-toolkit/js/utils/html-utils'],
function(gettext, _, Backbone, NoteItemView, PagingHeaderView, PagingFooterView, HtmlUtils) {
var TabPanelView = Backbone.View.extend({
tagName: 'section',
className: 'tab-panel',
title: '',
titleTemplate: _.template('<h2 class="sr"><%- text %></h2>'),
titleTemplate: HtmlUtils.template('<h2 class="sr"><%- text %></h2>'),
attributes: {
tabindex: -1
},
@@ -25,7 +26,10 @@ function(gettext, _, Backbone, NoteItemView, PagingHeaderView, PagingFooterView)
},
render: function() {
this.$el.html(this.getTitle());
HtmlUtils.setHtml(
this.$el,
this.getTitle()
);
this.renderView(this.pagingHeaderView);
this.renderContent();
this.renderView(this.pagingFooterView);

5
lms/static/js/leanModal.js
View File

@@ -20,7 +20,10 @@
};
var overlay = '<div id="lean_overlay"></div>';
if ($('#lean_overlay').length === 0) {
$('body').append($(overlay));
edx.HtmlUtils.append(
$('body'),
$(overlay)
);
}
options = $.extend(defaults, options); // eslint-disable-line no-param-reassign

2
lms/static/js/learner_dashboard/views/collection_list_view.js
View File

@@ -33,7 +33,7 @@ class CollectionListView extends Backbone.View {
this.$el.before(HtmlUtils.ensureHtml(this.getTitleHtml()).toString());
}
this.$el.html(childList);
this.$el.html(HtmlUtils.HTML(childList).toString());
}
}