Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #19769 from edx/matthugs/reduce-xsslint-false-positives-for-underscore-using-global-js-functions

Browse Source 
Improve XSS lint for underscore templates
This commit is contained in:
Matt Hughes
2019-02-14 17:09:42 -05:00
committed by GitHub
parent 3eaba4accf 2f9819f247
commit a0b6547aeb
3 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
scripts/xsslint/tests/test_linters.py
View File

@@ -190,6 +190,7 @@ class TestUnderscoreTemplateLinter(TestLinter):
self.assertEqual(results.violations[1].is_disabled, False)
@data(
{'template': '<%= edx.HtmlUtils.ensureHtml(message) %>'},
{'template': '<%= HtmlUtils.ensureHtml(message) %>'},
{'template': '<%= _.escape(message) %>'},
)

6
scripts/xsslint/tests/test_main.py
View File

@@ -93,7 +93,7 @@ class TestXSSLinter(TestCase):
# Assert no rule totals.
self.assertIsNone(re.search(r'{}:\s*{} violations'.format(self.ruleset.python_parse_error.rule_id, 0), output))
# Assert final total
self.assertIsNotNone(re.search(r'{} violations total'.format(7), output))
self.assertIsNotNone(re.search(r'{} violations total'.format(5), output))
def test_lint_with_verbose(self):
"""
@@ -125,7 +125,7 @@ class TestXSSLinter(TestCase):
# Assert no rule totals.
self.assertIsNone(re.search(r'{}:\s*{} violations'.format(self.ruleset.python_parse_error.rule_id, 0), output))
# Assert final total
self.assertIsNotNone(re.search(r'{} violations total'.format(7), output))
self.assertIsNotNone(re.search(r'{} violations total'.format(5), output))
def test_lint_with_rule_totals(self):
"""
@@ -150,7 +150,7 @@ class TestXSSLinter(TestCase):
# Assert totals output.
self.assertIsNotNone(re.search(r'{}:\s*{} violations'.format(self.ruleset.python_parse_error.rule_id, 0), output))
self.assertIsNotNone(re.search(r'{}:\s*{} violations'.format(self.ruleset.python_wrap_html.rule_id, 1), output))
self.assertIsNotNone(re.search(r'{} violations total'.format(7), output))
self.assertIsNotNone(re.search(r'{} violations total'.format(5), output))
def test_lint_with_list_files(self):
"""

3
scripts/xsslint/xsslint/linters.py
View File

@@ -268,6 +268,7 @@ class UnderscoreTemplateLinter(BaseLinter):
Safe examples::
<%= edx.HtmlUtils.ensureHtml(message) %>
<%= HtmlUtils.ensureHtml(message) %>
<%= _.escape(message) %>
@@ -278,6 +279,8 @@ class UnderscoreTemplateLinter(BaseLinter):
True if the Expression has been safely escaped, and False otherwise.
"""
if expression.expression_inner.startswith('edx.HtmlUtils.'):
return True
if expression.expression_inner.startswith('HtmlUtils.'):
return True
if expression.expression_inner.startswith('_.escape('):