seq_module.html XSS - Safe by default

This commit is contained in:
Nimisha Asthagiri
2016-03-23 11:53:03 -04:00
parent 2c90cac962
commit 2f037f04e9

View File

@@ -1,3 +1,4 @@
<%page expression_filter="h"/>
<%! from django.utils.translation import ugettext as _ %>
<div id="sequence_${element_id}" class="sequence" data-id="${item_id}" data-position="${position}" data-ajax-url="${ajax_url}" data-next-url="${next_url}" data-prev-url="${prev_url}">
@@ -17,8 +18,8 @@
<button class="seq_${item['type']} inactive progress-${item['progress_status']} nav-item"
data-id="${item['id']}"
data-element="${idx+1}"
data-page-title="${item['page_title']|h}"
data-path="${item['path']|h}"
data-page-title="${item['page_title']}"
data-path="${item['path']}"
id="tab_${idx}">
<i class="icon fa seq_${item['type']}" aria-hidden="true"></i>
<i class="fa fa-fw fa-bookmark bookmark-icon ${"is-hidden" if not item['bookmarked'] else "bookmarked"}" aria-hidden="true"></i>
@@ -40,7 +41,7 @@
aria-labelledby="tab_${idx}"
aria-hidden="true"
class="seq_contents tex2jax_ignore asciimath2jax_ignore">
${item['content'] | h}
${item['content']}
</div>
% endfor
<div id="seq_content"></div>