From 0f7898922051c8069258d35d5d280badcae61ee3 Mon Sep 17 00:00:00 2001
From: Peter Fogg <pfogg@edx.org>
Date: Thu, 17 Sep 2015 16:14:57 -0400
Subject: [PATCH 1/2] Escape team name in screenreader text.

---
 .../test/acceptance/tests/lms/test_teams.py   | 40 +++++++++++++++----
 .../teams/static/teams/js/views/team_card.js  |  2 +-
 2 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/common/test/acceptance/tests/lms/test_teams.py b/common/test/acceptance/tests/lms/test_teams.py
index db7ad3de81..e3cf25417b 100644
--- a/common/test/acceptance/tests/lms/test_teams.py
+++ b/common/test/acceptance/tests/lms/test_teams.py
@@ -8,9 +8,10 @@ import time
 from dateutil.parser import parse
 import ddt
 from nose.plugins.attrib import attr
+from selenium.common.exceptions import TimeoutException
 from uuid import uuid4
 
-from ..helpers import EventsTestMixin, UniqueCourseTest
+from ..helpers import get_modal_alert, EventsTestMixin, UniqueCourseTest
 from ...fixtures import LMS_BASE_URL
 from ...fixtures.course import CourseFixture
 from ...fixtures.discussion import (
@@ -60,18 +61,23 @@ class TeamsTabBase(EventsTestMixin, UniqueCourseTest):
                 'language': 'aa',
                 'country': 'AF'
             }
-            response = self.course_fixture.session.post(
-                LMS_BASE_URL + '/api/team/v0/teams/',
-                data=json.dumps(team),
-                headers=self.course_fixture.headers
-            )
+            teams.append(self.post_team_data(team))
             # Sadly, this sleep is necessary in order to ensure that
             # sorting by last_activity_at works correctly when running
             # in Jenkins.
             time.sleep(time_between_creation)
-            teams.append(json.loads(response.text))
         return teams
 
+    def post_team_data(self, team_data):
+        """Given a JSON representation of a team, post it to the server."""
+        response = self.course_fixture.session.post(
+            LMS_BASE_URL + '/api/team/v0/teams/',
+            data=json.dumps(team_data),
+            headers=self.course_fixture.headers
+        )
+        self.assertEqual(response.status_code, 200)
+        return json.loads(response.text)
+
     def create_membership(self, username, team_id):
         """Assign `username` to `team_id`."""
         response = self.course_fixture.session.post(
@@ -838,6 +844,26 @@ class BrowseTeamsWithinTopicTest(TeamsTabBase):
         with self.assert_events_match_during(self.only_team_events, expected_events=events):
             self.browse_teams_page.visit()
 
+    def test_team_name_xss(self):
+        """
+        Scenario: Team names should be HTML-escaped on the teams page
+        Given I am enrolled in a course with teams enabled
+        When I visit the Teams page for a topic, with a team name containing JS code
+        Then I should not see any alerts
+        """
+        team = self.post_team_data({
+            'course_id': self.course_id,
+            'topic_id': self.topic['id'],
+            'name': '<script>alert("XSS")</script>',
+            'description': 'Description',
+            'language': 'aa',
+            'country': 'AF'
+        })
+        with self.assertRaises(TimeoutException):
+            self.browser.get(self.browse_teams_page.url)
+            alert = get_modal_alert(self.browser)
+            alert.accept()
+
 
 @attr('shard_5')
 class TeamFormActions(TeamsTabBase):
diff --git a/lms/djangoapps/teams/static/teams/js/views/team_card.js b/lms/djangoapps/teams/static/teams/js/views/team_card.js
index b9561e0bef..770a112814 100644
--- a/lms/djangoapps/teams/static/teams/js/views/team_card.js
+++ b/lms/djangoapps/teams/static/teams/js/views/team_card.js
@@ -135,7 +135,7 @@
             actionContent: function() {
                 return interpolate(
                     gettext('View %(span_start)s %(team_name)s %(span_end)s'),
-                    {span_start: '<span class="sr">', team_name: this.teamModel().get('name'), span_end: '</span>'},
+                    {span_start: '<span class="sr">', team_name: _.escape(this.teamModel().get('name')), span_end: '</span>'},
                     true
                 );
             },

From dbc0803fc9cd29142b5b07084203e3cd1c716035 Mon Sep 17 00:00:00 2001
From: Kevin Falcone <kevin@edx.org>
Date: Thu, 17 Sep 2015 17:53:11 -0400
Subject: [PATCH 2/2] Quality fix (team isn't used)

---
 common/test/acceptance/tests/lms/test_teams.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/test/acceptance/tests/lms/test_teams.py b/common/test/acceptance/tests/lms/test_teams.py
index e3cf25417b..40d6dc963d 100644
--- a/common/test/acceptance/tests/lms/test_teams.py
+++ b/common/test/acceptance/tests/lms/test_teams.py
@@ -851,7 +851,7 @@ class BrowseTeamsWithinTopicTest(TeamsTabBase):
         When I visit the Teams page for a topic, with a team name containing JS code
         Then I should not see any alerts
         """
-        team = self.post_team_data({
+        self.post_team_data({
             'course_id': self.course_id,
             'topic_id': self.topic['id'],
             'name': '<script>alert("XSS")</script>',