diff --git a/lms/djangoapps/courseware/tests/test_views.py b/lms/djangoapps/courseware/tests/test_views.py
index a5efe744a8..879967419a 100644
--- a/lms/djangoapps/courseware/tests/test_views.py
+++ b/lms/djangoapps/courseware/tests/test_views.py
@@ -6,8 +6,10 @@ from django.http import Http404
from django.test.utils import override_settings
from django.contrib.auth.models import User
from django.test.client import RequestFactory
+from django.core.urlresolvers import reverse
from student.models import CourseEnrollment
+from student.tests.factories import AdminFactory
from xmodule.modulestore.django import modulestore
import courseware.views as views
@@ -124,3 +126,27 @@ class ViewsTestCase(TestCase):
self.assertContains(result, expected_end_text)
else:
self.assertNotContains(result, "Classes End")
+
+ def test_submission_history_xss(self):
+ # log into a staff account
+ admin = AdminFactory()
+
+ self.client.login(username=admin.username, password='test')
+
+ # try it with an existing user and a malicious location
+ url = reverse('submission_history', kwargs={
+ 'course_id': self.course_id,
+ 'student_username': 'dummy',
+ 'location': ''
+ })
+ response = self.client.get(url)
+ self.assertFalse('',
+ 'location': 'dummy'
+ })
+ response = self.client.get(url)
+ self.assertFalse('