Merge pull request #185 from edx/sustaining/security-fixes

Sustaining Xsslint security fixes
2020-07-22 13:56:54 +05:00
parent 17340353ea a89553f1c3
commit b7fdee226b
8 changed files with 44 additions and 27 deletions
--- a/cms/static/js/views/video/transcripts/file_uploader.js
+++ b/cms/static/js/views/video/transcripts/file_uploader.js
@@ -1,9 +1,11 @@
 define(
    [
        'jquery', 'backbone', 'underscore',
-        'js/views/video/transcripts/utils'
+        'js/views/video/transcripts/utils',
+        'edx-ui-toolkit/js/utils/html-utils'
    ],
-function($, Backbone, _, TranscriptUtils) {
+function($, Backbone, _, TranscriptUtils, HtmlUtils) {
+    'use strict';
    var FileUploader = Backbone.View.extend({
        invisibleClass: 'is-invisible',

@@ -37,9 +39,8 @@ function($, Backbone, _, TranscriptUtils) {

                    return;
                }
-                this.template = _.template(tpl);
-
-                tplContainer.html(this.template({
+                this.template = HtmlUtils.template(tpl);
+                HtmlUtils.setHtml(tplContainer, this.template({
                    ext: this.validFileExtensions,
                    component_locator: this.options.component_locator
                }));
@@ -126,11 +127,12 @@ function($, Backbone, _, TranscriptUtils) {
        *
        */
        checkExtValidity: function(file) {
+            var fileExtension;
            if (!file.name) {
                return void(0);
            }

-            var fileExtension = file.name
+            fileExtension = file.name
                                    .split('.')
                                    .pop()
                                    .toLowerCase();
@@ -153,7 +155,7 @@ function($, Backbone, _, TranscriptUtils) {

            this.$progress
                .width(percentVal)
-                .html(percentVal)
+                .text(percentVal)
                .removeClass(this.invisibleClass);
        },

@@ -177,7 +179,7 @@ function($, Backbone, _, TranscriptUtils) {

            this.$progress
                .width(percentVal)
-                .html(percentVal);
+                .text(percentVal);
        },

        /**
--- a/cms/templates/edit-tabs.html
+++ b/cms/templates/edit-tabs.html
@@ -21,7 +21,7 @@

 <%block name="page_bundle">
    <%static:webpack entry="js/factories/edit_tabs">
-        EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id})}");
+        EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id}) | n, js_escaped_string}");
    </%static:webpack>
 </%block>

--- a/cms/templates/manage_users_lib.html
+++ b/cms/templates/manage_users_lib.html
@@ -1,3 +1,5 @@
+<%page expression_filter="h"/>
+
 <%inherit file="base.html" />
 <%!
 from django.utils.translation import ugettext as _
@@ -110,7 +112,7 @@ from openedx.core.djangolib.js_utils import (
 <%block name="requirejs">
  require(["js/factories/manage_users_lib"], function(ManageLibraryUsersFactory) {
      ManageLibraryUsersFactory(
-        "${context_library.display_name_with_default | h}",
+        "${context_library.display_name_with_default | n, js_escaped_string}",
        ${users | n, dump_js_escaped_json},
        "${reverse('course_team_handler', kwargs={'course_key_string': library_key, 'email': '@@EMAIL@@'}) | n, js_escaped_string}",
        ${request.user.id | n, dump_js_escaped_json},
--- a/lms/static/js/verify_student/views/pay_and_verify_view.js
+++ b/lms/static/js/verify_student/views/pay_and_verify_view.js
@@ -126,7 +126,10 @@ var edx = edx || {};
            // Get or create the step container
            $stepEl = $('#current-step-container');
            if (!$stepEl.length) {
-                $stepEl = $('<div id="current-step-container"></div>').appendTo(this.el);
+                $stepEl = edx.HtmlUtils.append(
+                  $(this.el),
+                  edx.HtmlUtils.HTML('<div id="current-step-container"></div>').toString()
+                );
            }

            // Render the subview
--- a/lms/static/js/verify_student/views/reverify_view.js
+++ b/lms/static/js/verify_student/views/reverify_view.js
@@ -83,7 +83,10 @@
            // Get or create the step container
             $stepEl = $('#current-step-container');
             if (!$stepEl.length) {
-                 $stepEl = $('<div id="current-step-container"></div>').appendTo(this.el);
+                 $stepEl = edx.HtmlUtils.append(
+                   $(this.el),
+                   edx.HtmlUtils.HTML('<div id="current-step-container"></div>').toString()
+                 );
             }

            // Render the step subview
--- a/lms/static/js/views/image_field.js
+++ b/lms/static/js/views/image_field.js
@@ -1,15 +1,16 @@
 (function(define) {
    'use strict';
    define([
-        'gettext', 'jquery', 'underscore', 'backbone', 'js/views/fields',
+        'gettext', 'jquery', 'underscore', 'backbone',
+        'edx-ui-toolkit/js/utils/html-utils', 'js/views/fields',
        'text!templates/fields/field_image.underscore',
        'backbone-super', 'jquery.fileupload'
-    ], function(gettext, $, _, Backbone, FieldViews, field_image_template) {
+    ], function(gettext, $, _, Backbone, HtmlUtils, FieldViews, FieldImageTemplate) {
        var ImageFieldView = FieldViews.FieldView.extend({

            fieldType: 'image',

-            fieldTemplate: field_image_template,
+            fieldTemplate: FieldImageTemplate,
            uploadButtonSelector: '.upload-button-input',

            titleAdd: gettext('Upload an image'),
@@ -44,7 +45,7 @@
            },

            render: function() {
-                this.$el.html(this.template({
+                var attributes = {
                    id: this.options.valueAttribute,
                    inputName: (this.options.inputName || 'file'),
                    imageUrl: _.result(this, 'imageUrl'),
@@ -54,7 +55,8 @@
                    removeButtonIcon: _.result(this, 'iconRemove'),
                    removeButtonTitle: _.result(this, 'removeButtonTitle'),
                    screenReaderTitle: _.result(this, 'screenReaderTitle')
-                }));
+                };
+                this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString());
                this.delegateEvents();
                this.updateButtonsVisibility();
                this.watchForPageUnload();
@@ -184,14 +186,14 @@

            showUploadInProgressMessage: function() {
                this.$('.u-field-upload-button').addClass('in-progress');
-                this.$('.upload-button-icon').html(this.iconProgress);
-                this.$('.upload-button-title').html(this.titleUploading);
+                HtmlUtils.setHtml(this.$('.upload-button-icon'), HtmlUtils.HTML(this.iconProgress));
+                HtmlUtils.setHtml(this.$('.upload-button-title'), HtmlUtils.HTML(this.titleUploading));
            },

            showRemovalInProgressMessage: function() {
                this.$('.u-field-remove-button').css('opacity', 1);
-                this.$('.remove-button-icon').html(this.iconProgress);
-                this.$('.remove-button-title').html(this.titleRemoving);
+                HtmlUtils.setHtml(this.$('.remove-button-icon'), HtmlUtils.HTML(this.iconProgress));
+                HtmlUtils.setHtml(this.$('.remove-button-title'), HtmlUtils.HTML(this.titleRemoving));
            },

            setCurrentStatus: function(status) {
--- a/lms/static/js/views/notification.js
+++ b/lms/static/js/views/notification.js
@@ -9,7 +9,7 @@
        },

        render: function() {
-            this.$el.html(this.template({
+            this.$el.html(this.template({ // xss-lint: disable=javascript-jquery-html
                type: this.model.get('type'),
                title: this.model.get('title'),
                message: this.model.get('message'),
--- a/lms/templates/split_test_author_view.html
+++ b/lms/templates/split_test_author_view.html
@@ -1,4 +1,9 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+
+<%!
+    from django.utils.translation import ugettext as _
+    from openedx.core.djangolib.markup import HTML, Text
+%>

 <%
 split_test = context.get('split_test')
@@ -11,8 +16,8 @@ show_link = group_configuration_url is not None
    <div class="xblock-message information">
        <p>
            <span class="message-text">
-                ${_("This content experiment uses group configuration '{group_configuration_name}'.").format(
-                    group_configuration_name="<a href='{}'>{}</a>".format(group_configuration_url, user_partition.name) if show_link else user_partition.name
+                ${Text(_("This content experiment uses group configuration '{group_configuration_name}'.")).format(
+                    group_configuration_name=Text(HTML("<a href='{}'>{}</a>")).format(group_configuration_url, user_partition.name) if show_link else user_partition.name
                )}
            </span>
        </p>
@@ -23,13 +28,13 @@ show_link = group_configuration_url is not None
 % if is_root:
    <div class="wrapper-groups is-active">
        <h3 class="sr">${_("Active Groups")}</h3>
-        ${active_groups_preview}
+        ${HTML(active_groups_preview)}
    </div>

    % if inactive_groups_preview:
        <div class="wrapper-groups is-inactive">
            <h3 class="title">${_("Inactive Groups")}</h3>
-            ${inactive_groups_preview}
+            ${HTML(inactive_groups_preview)}
        </div>
    % endif
 % endif