Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #226 from edx/im-security-13

Browse Source 
Incident Management Security Fix 13
This commit is contained in:
Azan Bin Zahid
2021-04-02 12:30:04 +05:00
committed by GitHub
parent 4cb4be6afe 5e466bc772
commit 2136cde713
4 changed files with 34 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/djangoapps/third_party_auth/templates/third_party_auth/post_custom_auth_entry.html
View File

@@ -2,7 +2,7 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>{% trans "Please wait" %}</title>
<title>{% trans "Please wait" as tmsg %}{{tmsg|force_escape}}</title>
<style type="text/css">
#djDebug {display:none;}
</style>

11
common/lib/xmodule/xmodule/js/src/collapsible.js
View File

@@ -29,7 +29,7 @@
// Standard longform + shortfom pattern.
el.find('.longform').hide();
el.find('.shortform').append(linkTop, linkBottom);
el.find('.shortform').append(linkTop, linkBottom); // xss-lint: disable=javascript-jquery-append
// Custom longform + shortform text pattern.
short_custom = el.find('.shortform-custom');
@@ -40,7 +40,14 @@
open_text = $(elt).data('open-text');
close_text = $(elt).data('close-text');
$(elt).append("<a href='#' class='full-custom'>" + open_text + '</a>');
edx.HtmlUtils.append(
$(elt),
edx.HtmlUtils.joinHtml(
edx.HtmlUtils.HTML("<a href='#' class='full-custom'>"),
gettext(open_text),
edx.HtmlUtils.HTML('</a>')
)
);
$(elt).find('.full-custom').click(function(event) {
Collapsible.toggleFull(event, open_text, close_text);

26
lms/static/js/api_admin/views/catalog_preview.js
View File

@@ -6,8 +6,9 @@
'underscore',
'gettext',
'text!../../../templates/api_admin/catalog-results.underscore',
'text!../../../templates/api_admin/catalog-error.underscore'
], function(Backbone, _, gettext, catalogResultsTpl, catalogErrorTpl) {
'text!../../../templates/api_admin/catalog-error.underscore',
'edx-ui-toolkit/js/utils/html-utils'
], function(Backbone, _, gettext, catalogResultsTpl, catalogErrorTpl, HtmlUtils) {
return Backbone.View.extend({
events: {
@@ -20,9 +21,8 @@
},
render: function() {
this.$('#id_query').after(
'<button class="preview-query">' + gettext('Preview this query') + '</button>'
);
// eslint-disable-next-line
this.$('#id_query').after(HtmlUtils.joinHtml(HtmlUtils.HTML('<button class="preview-query">'), gettext('Preview this query'), HtmlUtils.HTML('</button>')).toString());
return this;
},
@@ -44,7 +44,10 @@
method: 'GET',
success: _.bind(this.renderCourses, this),
error: _.bind(function() {
this.$('.preview-results').html(_.template(catalogErrorTpl)({}));
HtmlUtils.setHtml(
this.$('.preview-results'),
HtmlUtils.template(catalogErrorTpl)({})
);
}, this)
});
},
@@ -54,10 +57,13 @@
* courses API.
*/
renderCourses: function(data) {
this.$('.preview-results').html(_.template(catalogResultsTpl)({
courses: data.results,
catalogApiUrl: this.catalogApiUrl
}));
HtmlUtils.setHtml(
this.$('.preview-results'),
HtmlUtils.template(catalogResultsTpl)({
courses: data.results,
catalogApiUrl: this.catalogApiUrl
})
);
}
});
});

12
lms/static/js/discovery/views/filter_bar.js
View File

@@ -5,8 +5,9 @@
'backbone',
'gettext',
'js/discovery/models/filter',
'js/discovery/views/filter_label'
], function($, _, Backbone, gettext, Filter, FilterLabel) {
'js/discovery/views/filter_label',
'edx-ui-toolkit/js/utils/html-utils'
], function($, _, Backbone, gettext, Filter, FilterLabel, HtmlUtils) {
'use strict';
return Backbone.View.extend({
@@ -20,7 +21,7 @@
},
initialize: function() {
this.tpl = _.template($(this.templateId).html());
this.tpl = HtmlUtils.template($(this.templateId).html());
this.render();
this.listenTo(this.collection, 'remove', this.hideIfEmpty);
this.listenTo(this.collection, 'add', this.addFilter);
@@ -28,7 +29,10 @@
},
render: function() {
this.$el.html(this.tpl());
HtmlUtils.setHtml(
this.$el,
this.tpl()
);
this.$ul = this.$el.find('ul');
this.$el.addClass('is-animated');
return this;