XSS escape cms/templates/course_outline.html

2016-03-23 15:56:22 -04:00
parent ac951c4bd2
commit b81a15d57f
2 changed files with 9 additions and 9 deletions
--- a/cms/djangoapps/contentstore/views/course.py
+++ b/cms/djangoapps/contentstore/views/course.py
@@ -553,11 +553,8 @@ def _deprecated_blocks_info(course_module, deprecated_block_types):
    except errors.CourseStructureNotAvailableError:
        return data

-    blocks = []
    for block in structure_data['blocks'].values():
-        blocks.append([reverse_usage_url('container_handler', block['parent']), block['display_name']])
-
-    data['blocks'].extend(blocks)
+        data['blocks'].append([reverse_usage_url('container_handler', block['parent']), block['display_name']])

    return data

--- a/cms/templates/course_outline.html
+++ b/cms/templates/course_outline.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "outline" %></%def>
 <%!
@@ -7,6 +8,7 @@ from django.utils.translation import ugettext as _
 from openedx.core.djangolib.js_utils import dump_js_escaped_json
 from contentstore.utils import reverse_usage_url
 from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
+from openedx.core.djangolib.markup import Text, HTML
 %>
 <%block name="title">${_("Course Outline")}</%block>
 <%block name="bodyclass">is-signedin course view-outline</%block>
@@ -71,7 +73,7 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
                      % for component_parent_url, component_display_name in deprecated_blocks_info['blocks']:
                          <li class="nav-item">
                                % if component_display_name:
-                                    <a href="${component_parent_url}">${_(component_display_name)}</a>
+                                    <a href="${component_parent_url}">${component_display_name}</a>
                                % else:
                                    <a href="${component_parent_url}">${_("Deprecated Component")}</a>
                                % endif
@@ -85,9 +87,10 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
            % if deprecated_blocks_info.get('block_types_enabled'):
              <div class="advance-modules-list">
                <p class="advance-modules-remove-text">
-                  ${_("To avoid errors, {platform_name} strongly recommends that you remove unsupported features from the course advanced settings. To do this, go to the {link_start}Advanced Settings page{link_end}, locate the \"Advanced Module List\" setting, and then delete the following modules from the list.").format(
+                  ${Text(_("To avoid errors, {platform_name} strongly recommends that you remove unsupported features from the course advanced settings. To do this, go to the {link_start}Advanced Settings page{link_end}, locate the \"Advanced Module List\" setting, and then delete the following modules from the list.")).format(
                    platform_name=static.get_platform_name(),
-                    link_start='<a href="{advance_settings_url}">'.format(advance_settings_url=deprecated_blocks_info['advance_settings_url']), link_end="</a>"
+                    link_start=HTML('<a href="{advance_settings_url}">').format(advance_settings_url=deprecated_blocks_info['advance_settings_url']),
+                    link_end=HTML("</a>")
                  )}
                </p>
                <nav class="nav-related" aria-label="${_('Unsupported Advance Modules')}">
@@ -178,7 +181,7 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
                course_locator = context_course.location
                %>
                <h2 class="sr">${_("Course Outline")}</h2>
-                <article class="outline outline-complex outline-course" data-locator="${course_locator | h}" data-course-key="${course_locator.course_key | h}">
+                <article class="outline outline-complex outline-course" data-locator="${course_locator}" data-course-key="${course_locator.course_key}">
                </article>
            </div>
            <div class="ui-loading">
@@ -196,7 +199,7 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
                <p>${_("Select the Configure icon for a section or subsection to set its release date. When you configure a subsection, you can also set the grading policy and due date.")}</p>
                <h3 class="title-3">${_("Changing the content students see")}</h3>
                <p>${_("To publish draft content, select the Publish icon for a section, subsection, or unit.")}</p>
-                <p>${_("To hide content from students, select the Configure icon for a section, subsection, or unit, then select {em_start}Hide from students{em_end}.").format(em_start='<strong>', em_end="</strong>")}</p>
+                <p>${Text(_("To hide content from students, select the Configure icon for a section, subsection, or unit, then select {em_start}Hide from students{em_end}.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
            </div>
            <div class="bit external-help">
                <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>