From 32729eb838cc1efaf39e7bbd06615d201d03ecf2 Mon Sep 17 00:00:00 2001
From: "J. Cliff Dyer" <cdyer@edx.org>
Date: Wed, 23 Mar 2016 20:08:27 +0000
Subject: [PATCH] Added safety to account_settings template

---
 .../tests/lms/test_account_settings.py         |  2 +-
 .../models/user_account_model.js               | 18 +++++++++++-------
 .../_dashboard_third_party_error.html          |  2 ++
 .../student_account/account_settings.html      | 18 ++++++++++++++----
 4 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/common/test/acceptance/tests/lms/test_account_settings.py b/common/test/acceptance/tests/lms/test_account_settings.py
index e76e8179fb..9c720f3d7c 100644
--- a/common/test/acceptance/tests/lms/test_account_settings.py
+++ b/common/test/acceptance/tests/lms/test_account_settings.py
@@ -286,7 +286,7 @@ class AccountSettingsPageTest(AccountSettingsTestMixin, WebAppTest):
             u'email',
             u'Email Address',
             email,
-            u'@',
+            u'test@example.com' + XSS_INJECTION,
             [u'me@here.com', u'you@there.com'],
             success_message='Click the link in the message to update your email address.',
             assert_after_reload=False
diff --git a/lms/static/js/student_account/models/user_account_model.js b/lms/static/js/student_account/models/user_account_model.js
index d2e1791460..fbd040a44f 100644
--- a/lms/static/js/student_account/models/user_account_model.js
+++ b/lms/static/js/student_account/models/user_account_model.js
@@ -34,23 +34,27 @@
                 // Currently when a non-staff user A access user B's profile, the only way to tell whether user B's
                 // profile is public is to check if the api has returned fields other than the default public fields
                 // specified in settings.ACCOUNT_VISIBILITY_CONFIGURATION.
-                var responseKeys = _.filter(_.keys(response), function (key) {return key !== 'default_public_account_fields'});
-                response.profile_is_public = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
-
-  	            return response;
+                var responseKeys = _.filter(_.keys(response), function (key) {
+                        return key !== 'default_public_account_fields';
+                });
+                
+                var isPublic = _.size(_.difference(responseKeys, response.default_public_account_fields)) > 0;
+                response.profile_is_public = isPublic;
+                return response;
             },
 
             hasProfileImage: function () {
                 var profile_image = this.get('profile_image');
-                return (_.isObject(profile_image) && profile_image['has_image'] === true);
+                return (_.isObject(profile_image) && profile_image.has_image === true);
             },
 
             profileImageUrl: function () {
-                return this.get('profile_image')['image_url_large'];
+                return this.get('profile_image').image_url_large;
             },
 
             isAboveMinimumAge: function() {
-                var isBirthDefined = !(_.isUndefined(this.get('year_of_birth')) || _.isNull(this.get('year_of_birth')));
+                var yearOfBirth = this.get('year_of_birth');
+                var isBirthDefined = !(_.isUndefined(yearOfBirth) || _.isNull(yearOfBirth));
                 return isBirthDefined && !(this.get("requires_parental_consent"));
             }
         });
diff --git a/lms/templates/dashboard/_dashboard_third_party_error.html b/lms/templates/dashboard/_dashboard_third_party_error.html
index a7958b9481..8903056380 100644
--- a/lms/templates/dashboard/_dashboard_third_party_error.html
+++ b/lms/templates/dashboard/_dashboard_third_party_error.html
@@ -1,3 +1,5 @@
+<%page expression_filter="h"/>
+
 <%! from django.utils.translation import ugettext as _ %>
 <div class="wrapper-msg urgency-high">
     <div class="msg">
diff --git a/lms/templates/student_account/account_settings.html b/lms/templates/student_account/account_settings.html
index 7d912789dc..61d465a9c6 100644
--- a/lms/templates/student_account/account_settings.html
+++ b/lms/templates/student_account/account_settings.html
@@ -1,8 +1,13 @@
+<%page expression_filter="h"/>
+
 <%!
 import json
+
 from django.core.urlresolvers import reverse
 from django.conf import settings
 from django.utils.translation import ugettext as _
+
+from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>
 
 <!--<%namespace name='static' file='/static_content.html'/>-->
@@ -27,12 +32,17 @@ from django.utils.translation import ugettext as _
 
 <%block name="js_extra">
 <%static:require_module module_name="js/student_account/views/account_settings_factory" class_name="AccountSettingsFactory">
-    var fieldsData = ${ json.dumps(fields) };
-    var authData = ${ json.dumps(auth) };
-    var platformName = ${json.dumps(static.get_platform_name())};
+    var fieldsData = ${ fields | n, dump_js_escaped_json };
+    var authData = ${ auth | n, dump_js_escaped_json };
+    var platformName = '${ static.get_platform_name() | n, js_escaped_string }';
 
     AccountSettingsFactory(
-        fieldsData, authData, '${user_accounts_api_url}', '${user_preferences_api_url}', ${user.id}, platformName
+        fieldsData, 
+        authData,
+        '${ user_accounts_api_url | n, js_escaped_string }',
+        '${ user_preferences_api_url | n, js_escaped_string }',
+        ${ user.id | n, dump_js_escaped_json },
+        platformName
     );
 </%static:require_module>
 </%block>