diff --git a/lms/djangoapps/courseware/tests/test_views.py b/lms/djangoapps/courseware/tests/test_views.py
index 45196d6a40..a5121042d1 100644
--- a/lms/djangoapps/courseware/tests/test_views.py
+++ b/lms/djangoapps/courseware/tests/test_views.py
@@ -6,9 +6,12 @@ from django.http import Http404
from django.test.utils import override_settings
from django.contrib.auth.models import User
from django.test.client import RequestFactory
+
from django.conf import settings
+from django.core.urlresolvers import reverse
from student.models import CourseEnrollment
+from student.tests.factories import AdminFactory
from xmodule.modulestore.django import modulestore
import courseware.views as views
@@ -161,3 +164,26 @@ class ViewsTestCase(TestCase):
# generate/store a real password.
self.assertEquals(chat_settings['password'], "johndoe@%s" % domain)
+ def test_submission_history_xss(self):
+ # log into a staff account
+ admin = AdminFactory()
+
+ self.client.login(username=admin.username, password='test')
+
+ # try it with an existing user and a malicious location
+ url = reverse('submission_history', kwargs={
+ 'course_id': self.course_id,
+ 'student_username': 'dummy',
+ 'location': ''
+ })
+ response = self.client.get(url)
+ self.assertFalse('',
+ 'location': 'dummy'
+ })
+ response = self.client.get(url)
+ self.assertFalse('