Properly escaping fullname

To prevent XSS attacks, we now properly escape any string containing the user's fullname. Enumerated by searching webview.py for "fullname", and "git grep"-ing any occurrences. This also exposed some unused strings, which I deleted for clarity.
2016-03-16 18:57:45 +05:00
parent 0a8f6fa3fe
commit 90a72ddba6
2 changed files with 4 additions and 4 deletions
--- a/lms/templates/certificates/_accomplishment-banner.html
+++ b/lms/templates/certificates/_accomplishment-banner.html
@@ -40,7 +40,7 @@ from django.template.defaultfilters import escapejs
 <div class="wrapper-banner wrapper-banner-user">
    <section class="banner banner-user">
        <div class="message message-block message-notice">
-            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening}</h2>
+            <h2 class="message-title hd-5 emphasized">${accomplishment_banner_opening | h}</h2>
            <div class="wrapper-copy-and-actions">
                <p class="message-copy copy copy-base emphasized">${accomplishment_banner_congrats}</p>
                <div class="message-actions">
--- a/lms/templates/certificates/_accomplishment-rendering.html
+++ b/lms/templates/certificates/_accomplishment-rendering.html
@@ -24,7 +24,7 @@ course_mode_class = course_mode if course_mode else ''
            <div class="wrapper-statement-and-signatories">
                <div class="accomplishment-statement">
                    <p class="accomplishment-statement-lead">
-                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name}</strong>
+                        <strong class="accomplishment-recipient hd-1 emphasized">${accomplishment_copy_name | h}</strong>
                        <span class="accomplishment-summary copy copy-lead">${accomplishment_copy_description_full}</span>

                        <span class="accomplishment-course hd-1 emphasized">
@@ -86,7 +86,7 @@ course_mode_class = course_mode if course_mode else ''

    <div class="wrapper-accomplishment-metadata">
        <div class="accomplishment-metadata">
-            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about}</h2>
+            <h2 class="accomplishment-metadata-title hd-6">${accomplishment_copy_more_about | h}</h2>

            <div class="wrapper-metadata">
                <dl class="metadata accomplishment-recipient">
@@ -96,7 +96,7 @@ course_mode_class = course_mode if course_mode else ''
                            <img class="src" src="/static/certificates/images/demo-user-profile.png" alt="">
                        </span>
                        <div class="recipient-details">
-                            <h3 class="recipient-name">${accomplishment_copy_name}</h3>
+                            <h3 class="recipient-name">${accomplishment_copy_name | h}</h3>
                            <p class="recipient-username">${accomplishment_copy_username} @ ${platform_name}</p>
                        </div>
                    </dd>