Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix edx-platform templates for xss.

Browse Source 
This is part of a multiple PR to escape
edx-platform templates to prevent xss attack.

PROD-465
This commit is contained in:
Adeel Khan
2019-07-05 04:58:19 +05:00
parent d7902e91f6
commit 10ae9f5bf1
3 changed files with 35 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
lms/templates/courseware/course_about_sidebar_header.html
View File

@@ -1,3 +1,4 @@
<%page expression_filter="h"/>
<%namespace name='static' file='../static_content.html'/>
<%!
import urllib
@@ -24,35 +25,34 @@ from six import text_type
## Twitter account. {url} should appear at the end of the text.
tweet_text = _("I just enrolled in {number} {title} through {account}: {url}").format(
number=course.number,
title=course.display_name_with_default_escaped,
title=course.display_name_with_default,
account=static.get_value('course_about_twitter_account', settings.PLATFORM_TWITTER_ACCOUNT),
url=u"{protocol}://{domain}{path}".format(
protocol=site_protocol,
domain=site_domain,
path=urllib.quote_plus(
reverse('about_course', args=[text_type(course.id)])
)
path=reverse('about_course', args=[text_type(course.id)])
)
).replace(u" ", u"+")
tweet_action = u"http://twitter.com/intent/tweet?text={tweet_text}".format(tweet_text=tweet_text)
tweet_action = u"http://twitter.com/intent/tweet?text={tweet_text}".format(tweet_text=urllib.quote_plus(tweet_text.encode('UTF-8')))
facebook_link = static.get_value('course_about_facebook_link', settings.PLATFORM_FACEBOOK_ACCOUNT)
email_subject = u"mailto:?subject={subject}&body={body}".format(
subject=_("Take a course with {platform} online").format(platform=platform_name),
body=_("I just enrolled in {number} {title} through {platform} {url}").format(
email_body = _("I just enrolled in {number} {title} through {platform} {url}").format(
number=course.number,
title=course.display_name_with_default_escaped,
title=course.display_name_with_default,
platform=platform_name,
url=u"{protocol}://{domain}{path}".format(
protocol=site_protocol,
domain=site_domain,
path=urllib.quote_plus(
reverse('about_course', args=[text_type(course.id)]),
)
path=reverse('about_course', args=[text_type(course.id)]),
)
)
).replace(u" ", u"%20")
email_subject = _("Take a course with {platform} online").format(platform=platform_name)
email_link = u"mailto:?subject={subject}&body={body}".format(
subject=urllib.quote_plus(email_subject.encode('UTF-8')),
body=urllib.quote_plus(email_body.encode('UTF-8'))
)
%>
<a href="${tweet_action}" class="share">
<span class="icon fa fa-twitter" aria-hidden="true"></span><span class="sr">${_("Tweet that you've enrolled in this course")}</span>
@@ -60,7 +60,7 @@ from six import text_type
<a href="${facebook_link}" class="share">
<span class="icon fa fa-thumbs-up" aria-hidden="true"></span><span class="sr">${_("Post a Facebook message to say you've enrolled in this course")}</span>
</a>
<a href="${email_subject}" class="share">
<a href="${email_link}" class="share">
<span class="icon fa fa-envelope" aria-hidden="true"></span><span class="sr">${_("Email someone to say you've enrolled in this course")}</span>
</a>
</div>

27
lms/templates/dashboard/_dashboard_credit_info.html
View File

@@ -1,20 +1,23 @@
<%page args="credit_status" />
<%page args="credit_status" expression_filter="h"/>
<%!
from django.utils.translation import ugettext as _
from openedx.core.djangolib.markup import HTML, Text
%>
<%namespace name='static' file='../static_content.html'/>
% if credit_status["eligible"]:
<%
provider_link = '<a href="{href}" target="_blank">{name}</a>'.format(
provider_link = HTML('<a href="{href}" target="_blank">{name}</a>').format(
href=credit_status["provider_status_url"],
name=credit_status["provider_name"])
error = credit_status['error']
# Translators: provider_name is the name of a credit provider or university (e.g. State University)
credit_msg = _("You have completed this course and are eligible to purchase course credit. Select <strong>Get Credit</strong> to get started.")
credit_msg = Text(_("You have completed this course and are eligible to purchase course credit. Select {strong_start}Get Credit{strong_end} to get started.")).format(
strong_start=HTML('<strong>'),
strong_end=HTML('</strong>>'))
if credit_status['provider_name']:
credit_msg = _("You are now eligible for credit from {provider}. Congratulations!").format(provider=credit_status['provider_name'])
@@ -32,8 +35,10 @@
# Learner must initiate the credit request
# Translators: link_to_provider_site is a link to an external webpage. The text of the link will be the name of a credit provider, such as 'State University' or 'Happy Fun Company'.
credit_msg = _("Thank you for your payment. To receive course credit, you must now request credit "
"at the {link_to_provider_site} website. Select <b>Request Credit</b> to get started.").format(
credit_msg = Text(_("Thank you for your payment. To receive course credit, you must now request credit "
"at the {link_to_provider_site} website. Select {start_bold}Request Credit{end_bold} to get started.")).format(
start_bold=HTML('<b>'),
end_bold=HTML('</b>'),
link_to_provider_site=provider_link,
)
credit_msg_class = "credit-request-not-started-msg"
@@ -49,7 +54,9 @@
elif request_status == 'approved':
# Credit granted!
# Translators: link_to_provider_site is a link to an external webpage. The text of the link will be the name of a credit provider, such as 'State University' or 'Happy Fun Company'. provider_name is the name of credit provider.
credit_msg = _("<b>Congratulations!</b> {provider_name} has approved your request for course credit. To see your course credit, visit the {link_to_provider_site} website.").format(
credit_msg = Text(_("{start_bold}Congratulations!{end_bold} {provider_name} has approved your request for course credit. To see your course credit, visit the {link_to_provider_site} website.")).format(
start_bold=HTML('<b>'),
end_bold=HTML('</b>'),
provider_name=credit_status["provider_name"],
link_to_provider_site=provider_link,
)
@@ -59,7 +66,7 @@
elif request_status == 'rejected':
# REJECTED (by the credit provider)!
## Translators: link_to_provider_site is a link to an external webpage. The text of the link will be the name of a credit provider, such as 'State University' or 'Happy Fun Company'. provider_name is the name of credit provider.
credit_msg = _("{provider_name} did not approve your request for course credit. For more information, contact {link_to_provider_site} directly.").format(
credit_msg = Text(_("{provider_name} did not approve your request for course credit. For more information, contact {link_to_provider_site} directly.")).format(
provider_name=credit_status["provider_name"],
link_to_provider_site=provider_link,
)
@@ -70,15 +77,15 @@
<div class="message message-status is-shown credit-message">
<p class="message-copy is-hidden credit-error-msg" data-credit-error="${credit_status['error']}">
${_("An error occurred with this transaction. For help, contact {support_email}.").format(
support_email=u'<a href="mailto:{address}">{address}</a>'.format(
${Text(_("An error occurred with this transaction. For help, contact {support_email}.")).format(
support_email=HTML(u'<a href="mailto:{address}">{address}</a>').format(
address=settings.DEFAULT_FEEDBACK_EMAIL
)
)}
</p>
<div class="credit-action">
% if credit_btn_label:
<a class="btn credit-btn ${credit_btn_class}" href="${credit_btn_href | h}" target="_blank" data-course-key="${credit_status['course_key'] | h}" data-user="${user.username | h}" data-provider="${credit_status['provider_id'] | h}">
<a class="btn credit-btn ${credit_btn_class}" href="${credit_btn_href}" target="_blank" data-course-key="${credit_status['course_key']}" data-user="${user.username}" data-provider="${credit_status['provider_id']}">
${credit_btn_label}
</a>
% endif

7
lms/templates/shoppingcart/receipt.html
View File

@@ -1,3 +1,4 @@
<%page expression_filter="h"/>
<%namespace name='static' file='/static_content.html'/>
<%inherit file="shopping_cart_flow.html" />
@@ -289,20 +290,20 @@ from openedx.core.djangolib.markup import HTML, Text
% endif
% for item, course in shoppingcart_items:
% if loop.index > 0 :
% if loop.index > 0:
<hr>
%endif
<div class="user-data">
<div class="clearfix">
<div class="image">
<img class="item-image" src="${course_image_url(course)}"
alt="${course.display_number_with_default | h} ${course.display_name_with_default | h} Image"/>
alt="${course.display_number_with_default} ${course.display_name_with_default} Image"/>
</div>
<div class="data-input">
<h3 class="course-title-info" id="course-title">
<span class="course-registration-title">${_('Registration for:')}</span>
<span class="course-display-name">${ course.display_name | h }</span>
<span class="course-display-name">${course.display_name}</span>
</h3>
<hr>
<div class="three-col">