From d43f33db31fb6b2aeabd0f2dafdec4d7ab51391f Mon Sep 17 00:00:00 2001
From: muzaffaryousaf <muzaffar.yousaf@arbisoft.com>
Date: Mon, 14 Mar 2016 16:06:40 +0500
Subject: [PATCH 1/4] Properly escape mixed content. text + html.

TNL-4243
---
 lms/djangoapps/edxnotes/tests.py     | 15 +++++++++++++++
 lms/templates/edxnotes/edxnotes.html |  5 +++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/lms/djangoapps/edxnotes/tests.py b/lms/djangoapps/edxnotes/tests.py
index 76010b4e2d..cef50f5b1b 100644
--- a/lms/djangoapps/edxnotes/tests.py
+++ b/lms/djangoapps/edxnotes/tests.py
@@ -998,6 +998,21 @@ class EdxNotesViewsTest(ModuleStoreTestCase):
         response = self.client.get(self.notes_page_url)
         self.assertContains(response, 'Highlights and notes you&#39;ve made in course content')
 
+    # pylint: disable=unused-argument
+    @patch.dict("django.conf.settings.FEATURES", {"ENABLE_EDXNOTES": True})
+    @patch("edxnotes.views.get_notes", return_value={'results': []})
+    @patch("edxnotes.views.get_course_position", return_value={'display_name': 'Section 1', 'url': 'test_url'})
+    def test_edxnotes_html_tags_should_not_be_escaped(self, mock_get_notes, mock_position):
+        """
+        Tests that explicit html tags rendered correctly.
+        """
+        enable_edxnotes_for_the_course(self.course, self.user.id)
+        response = self.client.get(self.notes_page_url)
+        self.assertContains(
+            response,
+            'Get started by making a note in something you just read, like <a href="test_url">Section 1</a>'
+        )
+
     @patch.dict("django.conf.settings.FEATURES", {"ENABLE_EDXNOTES": False})
     def test_edxnotes_view_is_disabled(self):
         """
diff --git a/lms/templates/edxnotes/edxnotes.html b/lms/templates/edxnotes/edxnotes.html
index 533646c5cd..04a08dacbe 100644
--- a/lms/templates/edxnotes/edxnotes.html
+++ b/lms/templates/edxnotes/edxnotes.html
@@ -5,6 +5,7 @@
 <%!
 from django.utils.translation import ugettext as _
 from edxnotes.helpers import NoteJSONEncoder
+from openedx.core.djangolib.markup import Text, HTML
 from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>
 
@@ -78,8 +79,8 @@ from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_str
 
               % if position is not None:
               <div class="placeholder-cta student-notes-cta">
-                <p class="placeholder-cta-copy">${_('Get started by making a note in something you just read, like {section_link}.').format(
-                  section_link='<a href="{url}">{section_name}</a>'.format(
+                <p class="placeholder-cta-copy">${Text(_('Get started by making a note in something you just read, like {section_link}.')).format(
+                  section_link=HTML('<a href="{url}">{section_name}</a>').format(
                     url=position['url'],
                     section_name=position['display_name'],
                     )

From 167efea65c77eefafadf2b208cc16b9c1d4a3c66 Mon Sep 17 00:00:00 2001
From: Qubad786 <muhammadrehan69@gmail.com>
Date: Thu, 10 Mar 2016 18:43:06 +0500
Subject: [PATCH 2/4] render progress status while problem content rendering

---
 .../xmodule/js/spec/capa/display_spec.coffee   | 18 +++++++++++++++++-
 .../xmodule/xmodule/js/src/capa/display.coffee |  1 +
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/common/lib/xmodule/xmodule/js/spec/capa/display_spec.coffee b/common/lib/xmodule/xmodule/js/spec/capa/display_spec.coffee
index bc23566d18..2edb056bd9 100644
--- a/common/lib/xmodule/xmodule/js/spec/capa/display_spec.coffee
+++ b/common/lib/xmodule/xmodule/js/spec/capa/display_spec.coffee
@@ -1,4 +1,6 @@
 describe 'Problem', ->
+  problem_content_default = readFixtures('problem_content.html')
+
   beforeEach ->
     # Stub MathJax
     window.MathJax =
@@ -20,7 +22,7 @@ describe 'Problem', ->
 
     spyOn Logger, 'log'
     spyOn($.fn, 'load').andCallFake (url, callback) ->
-      $(@).html readFixtures('problem_content.html')
+      $(@).html problem_content_default
       callback()
 
   describe 'constructor', ->
@@ -96,6 +98,13 @@ describe 'Problem', ->
         @problem.renderProgressState()
         expect(@problem.$('.problem-progress').html()).toEqual "(1 point possible)"
 
+      it 'displays the number of points possible when rendering happens with the content', ->
+        @problem.el.data('progress_status', 'none')
+        @problem.el.data('progress_detail', '0/2')
+        expect(@problem.$('.problem-progress').html()).toEqual ""
+        @problem.render(problem_content_default)
+        expect(@problem.$('.problem-progress').html()).toEqual "(2 points possible)"
+
     describe 'with any other valid status', ->
       it 'reports the current score', ->
         @problem.el.data('progress_status', 'foo')
@@ -103,6 +112,13 @@ describe 'Problem', ->
         @problem.renderProgressState()
         expect(@problem.$('.problem-progress').html()).toEqual "(1/1 point)"
 
+      it 'shows current score when rendering happens with the content', ->
+        @problem.el.data('progress_status', 'test status')
+        @problem.el.data('progress_detail', '2/2')
+        expect(@problem.$('.problem-progress').html()).toEqual ""
+        @problem.render(problem_content_default)
+        expect(@problem.$('.problem-progress').html()).toEqual "(2/2 points)"
+
   describe 'render', ->
     beforeEach ->
       @problem = new Problem($('.xblock-student_view'))
diff --git a/common/lib/xmodule/xmodule/js/src/capa/display.coffee b/common/lib/xmodule/xmodule/js/src/capa/display.coffee
index 524b33778e..a057a9dfd8 100644
--- a/common/lib/xmodule/xmodule/js/src/capa/display.coffee
+++ b/common/lib/xmodule/xmodule/js/src/capa/display.coffee
@@ -159,6 +159,7 @@ class @Problem
         @setupInputTypes()
         @bind()
         @queueing()
+        @renderProgressState()
       @el.attr('aria-busy', 'false')
     else
       $.postWithPrefix "#{@url}/problem_get", (response) =>

From ae0a128966406922376bbd0e472271f66f924b11 Mon Sep 17 00:00:00 2001
From: Clinton Blackburn <cblackburn@edx.org>
Date: Tue, 15 Mar 2016 15:37:21 -0400
Subject: [PATCH 3/4] Reverted rfc6266 change

The fork actually does include a commit that is not in the PyPI version.

ECOM-3833
---
 requirements/edx/base.txt   | 1 -
 requirements/edx/github.txt | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt
index ed082edd37..965f003a4e 100644
--- a/requirements/edx/base.txt
+++ b/requirements/edx/base.txt
@@ -85,7 +85,6 @@ pysrt==0.4.7
 PyYAML==3.10
 requests==2.7.0
 requests-oauthlib==0.4.1
-rfc6266==0.0.4
 scipy==0.14.0
 Shapely==1.2.16
 singledispatch==3.4.0.2
diff --git a/requirements/edx/github.txt b/requirements/edx/github.txt
index e963386de1..f8e86b4b4f 100644
--- a/requirements/edx/github.txt
+++ b/requirements/edx/github.txt
@@ -65,6 +65,9 @@ git+https://github.com/hmarr/django-debug-toolbar-mongo.git@b0686a76f1ce3532088c
 # custom opaque-key implementations for CCX
 git+https://github.com/edx/ccx-keys.git@0.1.1#egg=ccx-keys==0.1.1
 
+# NOTE (CCB): This must remain. There is one commit on the upstream repo that has not been released to PyPI.
+git+https://github.com/edx/rfc6266.git@v0.0.5-edx#egg=rfc6266==0.0.5-edx
+
 # Used for testing
 git+https://github.com/edx/lettuce.git@0.2.20.002#egg=lettuce==0.2.20.002
 

From a32ee429a391f9735365cd0fe8037c48033f7521 Mon Sep 17 00:00:00 2001
From: Toby Lawrence <tlawrence@edx.org>
Date: Wed, 16 Mar 2016 11:19:01 -0400
Subject: [PATCH 4/4] Revert "Fixed the other half of forgot password flow
 accourding to logistration."

This reverts commit 178f5a6056e39fc5bae2019ab78015ca006d466e.
---
 .../student_account/test/test_views.py        |   4 +-
 .../js/student_account/password_reset.js      |  15 --
 lms/templates/main_django.html                |   2 +
 .../registration/password_reset_complete.html |  59 ++++--
 .../registration/password_reset_confirm.html  | 184 +++++++++++++-----
 5 files changed, 174 insertions(+), 90 deletions(-)
 delete mode 100644 lms/static/js/student_account/password_reset.js

diff --git a/lms/djangoapps/student_account/test/test_views.py b/lms/djangoapps/student_account/test/test_views.py
index 585233cb93..43229700d6 100644
--- a/lms/djangoapps/student_account/test/test_views.py
+++ b/lms/djangoapps/student_account/test/test_views.py
@@ -100,7 +100,7 @@ class StudentAccountUpdateTest(UrlResetMixin, TestCase):
             follow=True
         )
         self.assertEqual(response.status_code, 200)
-        self.assertContains(response, "Your password has been reset.")
+        self.assertContains(response, "Your password has been set.")
 
         # Log the user out to clear session data
         self.client.logout()
@@ -116,7 +116,7 @@ class StudentAccountUpdateTest(UrlResetMixin, TestCase):
             follow=True
         )
         self.assertEqual(response.status_code, 200)
-        self.assertContains(response, "This password reset link is invalid. It may have been used already.")
+        self.assertContains(response, "The password reset link was invalid, possibly because the link has already been used.")
 
         self.client.logout()
 
diff --git a/lms/static/js/student_account/password_reset.js b/lms/static/js/student_account/password_reset.js
deleted file mode 100644
index 9733909315..0000000000
--- a/lms/static/js/student_account/password_reset.js
+++ /dev/null
@@ -1,15 +0,0 @@
-/**
- * Password reset template JS.
- */
-$(function() {
-    'use strict';
-    // adding js class for styling with accessibility in mind
-    $("body").addClass("js");
-
-    // form field label styling on focus
-    $("form :input").focus(function() {
-        $("label[for='" + this.id + "']").parent().addClass("is-focused");
-    }).blur(function() {
-        $("label").parent().removeClass("is-focused");
-    });
-});
diff --git a/lms/templates/main_django.html b/lms/templates/main_django.html
index 59c5e22078..89eb7f80c0 100644
--- a/lms/templates/main_django.html
+++ b/lms/templates/main_django.html
@@ -10,6 +10,8 @@
 
   {% stylesheet 'style-vendor' %}
   {% stylesheet 'style-main' %}
+  {% stylesheet 'style-course-vendor' %}
+  {% stylesheet 'style-course' %}
 
   {% block main_vendor_js %}
   {% javascript 'main_vendor' %}
diff --git a/lms/templates/registration/password_reset_complete.html b/lms/templates/registration/password_reset_complete.html
index a5172e364c..908f2d610f 100644
--- a/lms/templates/registration/password_reset_complete.html
+++ b/lms/templates/registration/password_reset_complete.html
@@ -6,30 +6,49 @@
 {% endblock %}
 
 {% block bodyextra %}
-    <script type="text/javascript">
-        $(function() {
-            'use strict';
-            // adding js class for styling with accessibility in mind
-            $('body').addClass('js');
-        });
-    </script>
+  <script type="text/javascript">
+    $(function() {
+
+      // adding js class for styling with accessibility in mind
+      $('body').addClass('js');
+
+      // new window/tab opening
+      $('a[rel="external"], a[class="new-vp"]')
+      .click( function() {
+      window.open( $(this).attr('href') );
+      return false;
+      });
+
+      // form field label styling on focus
+      $("form :input").focus(function() {
+        $("label[for='" + this.id + "']").parent().addClass("is-focused");
+      }).blur(function() {
+        $("label").parent().removeClass("is-focused");
+      });
+    });
+  </script>
 {% endblock %}
 
 {% block bodyclass %}view-passwordreset{% endblock %}
 
 {% block body %}
-<div id="password-reset-complete-container" class="login-register">
-    <section id="password-reset-complete-anchor" class="form-type">
-        <div id="password-reset-complete" class="form-wrapper" aria-hidden="true">
-            <div class="status submission-success" aria-live="polite">
-                <h4 class="message-title">{% trans "Password Reset Complete" %}</h4>
-                <ul class="message-copy">
-                {% blocktrans with link_start='<a href="/login">' link_end='</a>' %}
-                    Your password has been reset. {{ link_start }}Sign in to your account.{{ link_end }}
-                {% endblocktrans %}
-                </ul>
-            </div>
-        </div>
+  <section class="introduction">
+    <header>
+      <h1 class="title">
+        <span class="title-super">
+          {% trans "Your Password Reset is Complete" %}
+        </span>
+      </h1>
+    </header>
+  </section>
+
+  <section class="passwordreset container">
+    {% block content %}
+    <section role="main" class="content">
+      {% blocktrans with link_start='<a href="/login">' link_end='</a>' %}
+      Your password has been set.  You may go ahead and {{ link_start }}log in{{ link_end }} now.
+      {% endblocktrans %}
     </section>
-</div>
+    {% endblock %}
+  </section>
 {% endblock %}
diff --git a/lms/templates/registration/password_reset_confirm.html b/lms/templates/registration/password_reset_confirm.html
index d9549fa039..12daddac3a 100644
--- a/lms/templates/registration/password_reset_confirm.html
+++ b/lms/templates/registration/password_reset_confirm.html
@@ -3,70 +3,148 @@
 
 {% block title %}
 <title>
-{% blocktrans with platform_name=platform_name %}
-    Reset Your {{ platform_name }} Password
-{% endblocktrans %}
+  {% blocktrans with platform_name=platform_name %}
+      Reset Your {{ platform_name }} Password
+  {% endblocktrans %}
 </title>
 {% endblock %}
 
 {% block bodyextra %}
-<script type="text/javascript" src="{{STATIC_URL}}js/student_account/password_reset.js"></script>
+  <script type="text/javascript">
+    $(function() {
+
+      // adding js class for styling with accessibility in mind
+      $('body').addClass('js');
+
+      // new window/tab opening
+      $('a[rel="external"], a[class="new-vp"]')
+      .click( function() {
+      window.open( $(this).attr('href') );
+      return false;
+      });
+
+      // form field label styling on focus
+      $("form :input").focus(function() {
+        $("label[for='" + this.id + "']").parent().addClass("is-focused");
+      }).blur(function() {
+        $("label").parent().removeClass("is-focused");
+      });
+    });
+  </script>
 {% endblock %}
 
 {% block bodyclass %}view-passwordreset{% endblock %}
 
 {% block body %}
-<div id="password-reset-confirm-container" class="login-register">
-    <section id="password-reset-confirm-anchor" class="form-type">
-        <div id="password-reset-confirm-form" class="form-wrapper" aria-hidden="true">
-            <div class="status submission-error {% if not err_msg %} hidden {% endif %}" aria-live="polite">
-                <h4 class="message-title">{% trans "Error Resetting Password" %}</h4>
-                <ul class="message-copy">
-                {% if err_msg %}
-                    <li>{{err_msg}}</li>
-                {% else %}
-                    <li>{% trans "You must enter and confirm your new password." %}</li>
-                    <li>{% trans "The text in both password fields must match." %}</li>
-                {% endif %}
-                </ul>
-            </div>
-            {% if validlink %}
+  <section class="introduction">
+    <header>
+      <h1 class="title">
+        <span class="title-super">
+          {% blocktrans with platform_name=platform_name %}
+          Reset Your {{ platform_name }} Password
+          {% endblocktrans %}
+        </span>
+      </h1>
+    </header>
+  </section>
 
-            <form role="form" id="passwordreset-form" method="post" action="">{% csrf_token %}
-                <div class="section-title lines">
-                    <h2>
-                        <span class="text">
-                        {% trans "Reset Your Password" %}
-                        </span>
-                    </h2>
-                </div>
+  <section class="passwordreset container">
+    <section role="main" class="content">
+      {% if validlink %}
+      <header>
+      <h2 class="sr">{% trans "Password Reset Form" %}</h2>
+      </header>
 
-                <p class="action-label">
-                    {% trans "Enter and confirm your new password." %}
-                </p>
-
-                <div class="form-field new_password1-new_password1">
-                    <label for="new_password1">{% trans "New Password" %}</label>
-                    <input id="new_password1" type="password" name="new_password1" placeholder="*****" />
-                </div>
-                <div class="form-field new_password2-new_password2">
-                    <label for="new_password2">{% trans "Confirm Password" %}</label>
-                    <input id="new_password2" type="password" name="new_password2" placeholder="*****" />
-                </div>
-
-                <button type="submit" class="action action-primary action-update js-reset">{% trans "Reset My Password" %}</button>
-            </form>
-            {% else %}
-            <div class="status submission-error" aria-live="polite">
-                <h4 class="message-title">{% trans "Invalid Password Reset Link" %}</h4>
-                <ul class="message-copy">
-                {% blocktrans with start_link='<a href="/login">' end_link='</a>' %}
-                    This password reset link is invalid. It may have been used already. To reset your password, go to the {{ start_link }}sign-in{{ end_link }} page and select <strong>Forgot password</strong>.
-                {% endblocktrans %}
-                </ul>
-            </div>
-            {% endif %}
+      <form role="form" id="passwordreset-form" method="post" action="">{% csrf_token %}
+        <!-- status messages -->
+        <div role="alert" class="status message">
+          <h3 class="message-title">
+            {% blocktrans %}
+                We're sorry, but this version of your browser is not supported. Try again using a different browser or a newer version of your browser.
+            {% endblocktrans %}
+          </h3>
         </div>
+
+        {% if err_msg %}
+        <div role="alert" class="status message submission-error" style="display: block;">
+        {% else %}
+        <div role="alert" class="status message submission-error" style="display: none;">
+        {% endif %}
+          <h3 class="message-title">{% trans "The following errors occurred while processing your registration: " %}</h3>
+          <ul class="message-copy">
+            {% if err_msg %}
+              <li>{{err_msg}}</li>
+            {% else %}
+              <li>{% trans "You must complete all fields." %}</li>
+              <li>{% trans "The two password fields didn't match." %}</li>
+            {% endif %}
+          </ul>
+        </div>
+
+        <div role="alert" class="status message system-error">
+          <h3 class="message-title">{% trans "We're sorry, our systems seem to be having trouble processing your password reset" %}</h3>
+          <p class="message-copy">
+            {% blocktrans with start_link='<a href="{{MKTG_URL_CONTACT}}">' end_link='</a>' %}
+                Someone has been made aware of this issue. Please try again shortly. Please {{ start_link }}contact us{{ end_link }} about any concerns you have.
+            {% endblocktrans %}
+          </p>
+        </div>
+
+        <p class="instructions">
+        {% trans 'Please enter your new password twice so we can verify you typed it in correctly.' %}
+        <br />
+        {% blocktrans with bold_start='<strong class="indicator">' bold_end='</strong>' %}
+        Required fields are noted by {{bold_start}}bold text and an asterisk (*){{bold_end}}.
+        {% endblocktrans %}
+        </p>
+
+        <fieldset class="group group-form group-form-requiredinformation">
+          <legend class="sr">{% trans "Required Information" %}</legend>
+
+          <ol class="list-input">
+            <li class="field required password" id="field-new_password1">
+              <label for="new_password1">{% trans "Your New Password" %}</label>
+              <input id="new_password1" type="password" name="new_password1" placeholder="*****" />
+            </li>
+            <li class="field required password" id="field-new_password2">
+              <label for="new_password2">{% trans "Your New Password Again" %}</label>
+              <input id="new_password2" type="password" name="new_password2" placeholder="*****" />
+            </li>
+          </ol>
+        </fieldset>
+
+        <div class="form-actions">
+          <button name="submit" type="submit" id="submit" class="action action-primary action-update">{% trans "Change My Password" %}</button>
+        </div>
+      </form>
+
+      {% else %}
+
+      <header>
+        <h2 class="sr">{% trans "Your Password Reset Was Unsuccessful" %}</h2>
+      </header>
+      <p>
+        {% blocktrans with start_link='<a href="/login">' end_link='</a>' %}
+            The password reset link was invalid, possibly because the link has already been used.  Please return to the {{ start_link }}login page{{ end_link }} and start the password reset process again.
+        {% endblocktrans %}
+      </p>
+
+      {% endif %}
     </section>
-</div>
+
+    <aside role="complementary">
+      <header>
+      <h3 class="sr">{% trans "Password Reset Help" %}</h3>
+      </header>
+
+      <div class="cta cta-help">
+        <h3>{% trans "Need Help?" %}</h3>
+        <p>
+          {% blocktrans with start_link='<a href="{{MKTG_URL_FAQ}}">' end_link='</a>' %}
+              View our {{ start_link }}help section for contact information and answers to commonly asked questions{{ end_link }}
+          {% endblocktrans %}
+        </p>
+      </div>
+    </aside>
+  </section>
 {% endblock %}