Merge pull request #195 from edx/sustaining/security-fixes-3

Sustaining/security fixes 3
2020-09-01 11:14:55 +05:00
parent a7ab16355a 5d38314fc5
commit 96fc73c13f
7 changed files with 31 additions and 29 deletions
--- a/cms/static/js/views/baseview.js
+++ b/cms/static/js/views/baseview.js
@@ -44,6 +44,7 @@ define(['jquery', 'underscore', 'backbone', 'gettext', 'js/utils/handle_iframe_b
                this.options = options;

                var _this = this;
+                // xss-lint: disable=javascript-jquery-insertion
                this.render = _.wrap(this.render, function(render, options) {
                    _this.beforeRender();
                    render(options);
--- a/cms/static/js/views/license.js
+++ b/cms/static/js/views/license.js
@@ -82,7 +82,7 @@ define([
        },

        render: function() {
-            this.$el.html(_.template(licenseSelectorTemplate)({
+            edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.template(licenseSelectorTemplate)({
                model: this.model.attributes,
                licenseString: this.model.toString() || '',
                licenseInfo: this.licenseInfo,
--- a/cms/static/js/views/list.js
+++ b/cms/static/js/views/list.js
@@ -38,7 +38,7 @@ define([
        },

        render: function(model) {
-            this.$el.html(this.template({
+            var template = this.template({
                itemCategoryDisplayName: this.itemCategoryDisplayName,
                newItemMessage: this.newItemMessage,
                emptyMessage: this.emptyMessage,
@@ -46,7 +46,8 @@ define([
                isEditing: model && model.get('editing'),
                canCreateNewItem: this.canCreateItem(this.collection),
                restrictEditing: this.restrictEditing
-            }));
+            });
+            edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.HTML(template));

            this.collection.each(function(model) {
                this.$(this.listContainerCss).append(
--- a/cms/static/js/views/manage_users_and_roles.js
+++ b/cms/static/js/views/manage_users_and_roles.js
@@ -1,9 +1,9 @@
 /*
 Code for editing users and assigning roles within a course or library team context.
 */
-define(['jquery', 'underscore', 'gettext', 'js/views/baseview',
-    'common/js/components/views/feedback_prompt', 'common/js/components/utils/view_utils'],
-    function($, _, gettext, BaseView, PromptView, ViewUtils) {
+define(['jquery', 'underscore', 'gettext', 'js/views/baseview', 'common/js/components/views/feedback_prompt',
+    'common/js/components/utils/view_utils', 'edx-ui-toolkit/js/utils/html-utils'],
+    function($, _, gettext, BaseView, PromptView, ViewUtils, HtmlUtils) {
        'use strict';
        var default_messages = {
            defaults: {
@@ -157,7 +157,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/baseview',
                        viewHelpers: viewHelpers
                    };

-                    this.$userList.append(templateFn(template_data));
+                    this.$userList.append(HtmlUtils.HTML(templateFn(template_data)).toString());
                }
            },

--- a/cms/static/js/views/uploads.js
+++ b/cms/static/js/views/uploads.js
@@ -1,5 +1,7 @@
-define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery.form'],
-    function($, _, gettext, BaseModal) {
+define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'edx-ui-toolkit/js/utils/html-utils',
+    'jquery.form'],
+    function($, _, gettext, BaseModal, HtmlUtils) {
+        'use strict';
        var UploadDialog = BaseModal.extend({
            events: _.extend({}, BaseModal.prototype.events, {
                'change input[type=file]': 'selectFile',
@@ -42,7 +44,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery
                // a blank input to prompt the user to upload a different (valid) file.
                if (selectedFile && isValid) {
                    $(oldInput).removeClass('error');
-                    this.$('input[type=file]').replaceWith(oldInput);
+                    this.$('input[type=file]').replaceWith(HtmlUtils.ensureHtml(oldInput).toString());
                    this.$('.action-upload').removeClass('disabled');
                } else {
                    this.$('.action-upload').addClass('disabled');
@@ -53,7 +55,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery
            getContentHtml: function() {
                return this.template({
                    url: this.options.url || CMS.URL.UPLOAD_ASSET,
-                    message: this.model.escape('message'),
+                    message: this.model.get('message'),
                    selectedFile: this.model.get('selectedFile'),
                    uploading: this.model.get('uploading'),
                    uploadedBytes: this.model.get('uploadedBytes'),
--- a/cms/static/js/views/video/transcripts/message_manager.js
+++ b/cms/static/js/views/video/transcripts/message_manager.js
@@ -74,16 +74,15 @@ function($, Backbone, _, Utils, FileUploader, gettext) {
                return this;
            }

-            template = _.template(tplHtml);
+            template = edx.HtmlUtils.template(tplHtml);

-            this.$el.find('.transcripts-status')
-                .removeClass('is-invisible')
-                .find(this.elClass).html(template({
-                    component_locator: encodeURIComponent(this.component_locator),
-                    html5_list: html5List,
-                    grouped_list: groupedList,
-                    subs_id: (params) ? params.subs : ''
-                }));
+            edx.HtmlUtils.setHtml(
+            this.$el.find('.transcripts-status').removeClass('is-invisible').find(this.elClass), template({
+                component_locator: encodeURIComponent(this.component_locator),
+                html5_list: html5List,
+                grouped_list: groupedList,
+                subs_id: (params) ? params.subs : ''
+            }));

            this.fileUploader.render();

@@ -106,11 +105,7 @@ function($, Backbone, _, Utils, FileUploader, gettext) {
            if (err) {
                // Hide any other error messages.
                this.hideError();
-
-                $error
-                    .html(gettext(err))
-                    .removeClass(this.invisibleClass);
-
+                edx.HtmlUtils.setHtml($error, gettext(err)).removeClass(this.invisibleClass);
                if (hideButtons) {
                    this.$el.find('.wrapper-transcripts-buttons')
                        .addClass(this.invisibleClass);
--- a/cms/static/js/views/xblock_string_field_editor.js
+++ b/cms/static/js/views/xblock_string_field_editor.js
@@ -5,8 +5,9 @@
 * XBlock field's value if it has been changed. If the user presses Escape, then any changes will
 * be removed and the input hidden again.
 */
-define(['js/views/baseview', 'js/views/utils/xblock_utils'],
-    function(BaseView, XBlockViewUtils) {
+define(['js/views/baseview', 'js/views/utils/xblock_utils', 'edx-ui-toolkit/js/utils/html-utils'],
+    function(BaseView, XBlockViewUtils, HtmlUtils) {
+        'use strict';
        var XBlockStringFieldEditor = BaseView.extend({
            events: {
                'click .xblock-field-value-edit': 'showInput',
@@ -29,11 +30,13 @@ define(['js/views/baseview', 'js/views/utils/xblock_utils'],
            },

            render: function() {
-                this.$el.append(this.template({
+                var attributes = {
+                    // xss-lint: disable=javascript-escape
                    value: this.model.escape(this.fieldName),
                    fieldName: this.fieldName,
                    fieldDisplayName: this.fieldDisplayName
-                }));
+                };
+                this.$el.append(HtmlUtils.HTML(this.template(attributes)).toString());
                return this;
            },