Merge pull request #11883 from edx/cdyer/safe-marathon-1
Added safety to lms/templates/student_account/account_settings.html
This commit is contained in:
Cliff Dyer
@@ -286,7 +286,7 @@ class AccountSettingsPageTest(AccountSettingsTestMixin, WebAppTest):
|
||||
u'email',
|
||||
u'Email Address',
|
||||
email,
|
||||
u'@',
|
||||
u'test@example.com' + XSS_INJECTION,
|
||||
[u'me@here.com', u'you@there.com'],
|
||||
success_message='Click the link in the message to update your email address.',
|
||||
assert_after_reload=False
|
||||
|
||||
@@ -34,23 +34,27 @@
|
||||
// Currently when a non-staff user A access user B's profile, the only way to tell whether user B's
|
||||
// profile is public is to check if the api has returned fields other than the default public fields
|
||||
// specified in settings.ACCOUNT_VISIBILITY_CONFIGURATION.
|
||||
var responseKeys = _.filter(_.keys(response), function (key) {return key !== 'default_public_account_fields'});
|
||||
response.profile_is_public = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
|
||||
|
||||
return response;
|
||||
var responseKeys = _.filter(_.keys(response), function (key) {
|
||||
return key !== 'default_public_account_fields';
|
||||
});
|
||||
|
||||
var isPublic = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
|
||||
response.profile_is_public = isPublic;
|
||||
return response;
|
||||
},
|
||||
|
||||
hasProfileImage: function () {
|
||||
var profile_image = this.get('profile_image');
|
||||
return (_.isObject(profile_image) && profile_image['has_image'] === true);
|
||||
return (_.isObject(profile_image) && profile_image.has_image === true);
|
||||
},
|
||||
|
||||
profileImageUrl: function () {
|
||||
return this.get('profile_image')['image_url_large'];
|
||||
return this.get('profile_image').image_url_large;
|
||||
},
|
||||
|
||||
isAboveMinimumAge: function() {
|
||||
var isBirthDefined = !(_.isUndefined(this.get('year_of_birth')) || _.isNull(this.get('year_of_birth')));
|
||||
var yearOfBirth = this.get('year_of_birth');
|
||||
var isBirthDefined = !(_.isUndefined(yearOfBirth) || _.isNull(yearOfBirth));
|
||||
return isBirthDefined && !(this.get("requires_parental_consent"));
|
||||
}
|
||||
});
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
<%page expression_filter="h"/>
|
||||
|
||||
<%! from django.utils.translation import ugettext as _ %>
|
||||
<div class="wrapper-msg urgency-high">
|
||||
<div class="msg">
|
||||
|
||||
@@ -1,8 +1,13 @@
|
||||
<%page expression_filter="h"/>
|
||||
|
||||
<%!
|
||||
import json
|
||||
|
||||
from django.core.urlresolvers import reverse
|
||||
from django.conf import settings
|
||||
from django.utils.translation import ugettext as _
|
||||
|
||||
from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
|
||||
%>
|
||||
|
||||
<!--<%namespace name='static' file='/static_content.html'/>-->
|
||||
@@ -27,12 +32,17 @@ from django.utils.translation import ugettext as _
|
||||
|
||||
<%block name="js_extra">
|
||||
<%static:require_module module_name="js/student_account/views/account_settings_factory" class_name="AccountSettingsFactory">
|
||||
var fieldsData = ${ json.dumps(fields) };
|
||||
var authData = ${ json.dumps(auth) };
|
||||
var platformName = ${json.dumps(static.get_platform_name())};
|
||||
var fieldsData = ${ fields | n, dump_js_escaped_json };
|
||||
var authData = ${ auth | n, dump_js_escaped_json };
|
||||
var platformName = '${ static.get_platform_name() | n, js_escaped_string }';
|
||||
|
||||
AccountSettingsFactory(
|
||||
fieldsData, authData, '${user_accounts_api_url}', '${user_preferences_api_url}', ${user.id}, platformName
|
||||
fieldsData,
|
||||
authData,
|
||||
'${ user_accounts_api_url | n, js_escaped_string }',
|
||||
'${ user_preferences_api_url | n, js_escaped_string }',
|
||||
${ user.id | n, dump_js_escaped_json },
|
||||
platformName
|
||||
);
|
||||
</%static:require_module>
|
||||
</%block>
|
||||
|
||||
Reference in New Issue
Block a user