Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #215 from edx/IM/security-fixes-6

Browse Source 
Incident Management Security Fixes 6
This commit is contained in:
Ali Akbar
2021-02-04 00:03:38 +05:00
committed by GitHub
parent b3cbc404d9 533ef0d20e
commit c5b0056b30
7 changed files with 83 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cms/templates/js/due-date-editor.underscore
View File

@@ -1,12 +1,12 @@
<ul class="list-fields list-input datepair date-setter">
<li class="field field-text field-due-date">
<label for="due_date"><%= gettext('Due Date:') %></label>
<label for="due_date"><%- gettext('Due Date:') %></label>
<input type="text" id="due_date" name="due_date" value=""
placeholder="MM/DD/YYYY" class="due-date date input input-text" autocomplete="off"/>
</li>
<li class="field field-text field-due-time">
<label for="due_time"><%= gettext('Due Time in UTC:') %></label>
<label for="due_time"><%- gettext('Due Time in UTC:') %></label>
<input type="text" id="due_time" name="due_time" value=""
placeholder="HH:MM" class="due-time time input input-text" autocomplete="off" />
</li>
@@ -14,9 +14,9 @@
<ul class="list-actions">
<li class="action-item">
<a href="#" data-tooltip="<%= gettext('Clear Grading Due Date') %>" class="clear-date action-button action-clear">
<a href="#" data-tooltip="<%- gettext('Clear Grading Due Date') %>" class="clear-date action-button action-clear">
<span class="icon fa fa-undo" aria-hidden="true"></span>
<span class="sr"><%= gettext('Clear Grading Due Date') %></span>
<span class="sr"><%- gettext('Clear Grading Due Date') %></span>
</a>
</li>
</ul>

3
common/lib/capa/capa/templates/imageinput.html
View File

@@ -1,3 +1,4 @@
<%page expression_filter="h"/>
<div class="imageinput capa_inputtype" id="inputtype_${id}">
<input
type="hidden"
@@ -37,7 +38,7 @@
</div>
<script type="text/javascript" charset="utf-8">
(new ImageInput('${id}'));
(new ImageInput('${id | n, decode.utf8}'));
</script>
<%include file="status_span.html" args="status=status, status_id=id"/>

6
common/lib/symmath/symmath/formula.py
View File

@@ -32,6 +32,8 @@ from sympy.physics.quantum.state import Ket
from sympy.printing.latex import LatexPrinter
from sympy.printing.str import StrPrinter
from openedx.core.djangolib.markup import HTML
log = logging.getLogger(__name__)
log.warning("Dark code. Needs review before enabling in prod.")
@@ -90,8 +92,8 @@ def to_latex(expr):
#return '<math>%s{}{}</math>' % (xs[1:-1])
if expr_s[0] == '$':
return '[mathjax]%s[/mathjax]<br>' % (expr_s[1:-1]) # for sympy v6 # xss-lint: disable=python-interpolate-html
return '[mathjax]%s[/mathjax]<br>' % (expr_s) # for sympy v7 # xss-lint: disable=python-interpolate-html
return HTML('[mathjax]{expression}[/mathjax]<br>').format(expression=expr_s[1:-1]) # for sympy v6
return HTML('[mathjax]{expression}[/mathjax]<br>').format(expression=expr_s) # for sympy v7
def my_evalf(expr, chop=False):

74
common/lib/symmath/symmath/symmath_check.py
View File

@@ -12,6 +12,10 @@
import logging
import traceback
from markupsafe import escape
from openedx.core.djangolib.markup import HTML
from .formula import *
log = logging.getLogger(__name__)
@@ -49,8 +53,9 @@ def symmath_check_simple(expect, ans, adict={}, symtab=None, extra_options=None)
)
except Exception as err:
return {'ok': False,
'msg': 'Error %s<br/>Failed in evaluating check(%s,%s)' % (err, expect, ans)
}
'msg': HTML('Error {err}<br/>Failed in evaluating check({expect},{ans})').format(
err=err, expect=expect, ans=ans
)}
return ret
#-----------------------------------------------------------------------------
@@ -94,22 +99,28 @@ def check(expect, given, numerical=False, matrix=False, normphase=False, abcsym=
try:
xgiven = my_sympify(given, normphase, matrix, do_qubit=do_qubit, abcsym=abcsym, symtab=symtab)
except Exception as err:
return {'ok': False, 'msg': 'Error %s<br/> in evaluating your expression "%s"' % (err, given)}
return {'ok': False, 'msg': HTML('Error {err}<br/> in evaluating your expression "{given}"').format(
err=err, given=given
)}
try:
xexpect = my_sympify(expect, normphase, matrix, do_qubit=do_qubit, abcsym=abcsym, symtab=symtab)
except Exception as err:
return {'ok': False, 'msg': 'Error %s<br/> in evaluating OUR expression "%s"' % (err, expect)}
return {'ok': False, 'msg': HTML('Error {err}<br/> in evaluating OUR expression "{expect}"').format(
err=err, expect=expect
)}
if 'autonorm' in flags: # normalize trace of matrices
try:
xgiven /= xgiven.trace()
except Exception as err:
return {'ok': False, 'msg': 'Error %s<br/> in normalizing trace of your expression %s' % (err, to_latex(xgiven))}
return {'ok': False, 'msg': HTML('Error {err}<br/> in normalizing trace of your expression {xgiven}').
format(err=err, xgiven=to_latex(xgiven))}
try:
xexpect /= xexpect.trace()
except Exception as err:
return {'ok': False, 'msg': 'Error %s<br/> in normalizing trace of OUR expression %s' % (err, to_latex(xexpect))}
return {'ok': False, 'msg': HTML('Error {err}<br/> in normalizing trace of OUR expression {xexpect}').
format(err=err, xexpect=to_latex(xexpect))}
msg = 'Your expression was evaluated as ' + to_latex(xgiven)
# msg += '<br/>Expected ' + to_latex(xexpect)
@@ -145,7 +156,7 @@ def check(expect, given, numerical=False, matrix=False, normphase=False, abcsym=
def make_error_message(msg):
# msg = msg.replace('<p>','<p><span class="inline-error">').replace('</p>','</span></p>')
msg = '<div class="capa_alert">%s</div>' % msg
msg = HTML('<div class="capa_alert">{msg}</div>').format(msg=msg)
return msg
@@ -210,7 +221,7 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
try:
fexpect = my_sympify(str(expect), matrix=do_matrix, do_qubit=do_qubit)
except Exception as err:
msg += '<p>Error %s in parsing OUR expected answer "%s"</p>' % (err, expect)
msg += HTML('<p>Error {err} in parsing OUR expected answer "{expect}"</p>').format(err=err, expect=expect)
return {'ok': False, 'msg': make_error_message(msg)}
###### Sympy input #######
@@ -226,18 +237,19 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
if is_within_tolerance(fexpect, fans, threshold):
return {'ok': True, 'msg': msg}
else:
msg += '<p>You entered: %s</p>' % to_latex(fans)
msg += HTML('<p>You entered: {fans}</p>').format(fans=to_latex(fans))
return {'ok': False, 'msg': msg}
if do_numerical: # numerical answer expected - force numerical comparison
if is_within_tolerance(fexpect, fans, threshold):
return {'ok': True, 'msg': msg}
else:
msg += '<p>You entered: %s (note that a numerical answer is expected)</p>' % to_latex(fans)
msg += HTML('<p>You entered: {fans} (note that a numerical answer is expected)</p>').\
format(fans=to_latex(fans))
return {'ok': False, 'msg': msg}
if fexpect == fans:
msg += '<p>You entered: %s</p>' % to_latex(fans)
msg += HTML('<p>You entered: {fans}</p>').format(fans=to_latex(fans))
return {'ok': True, 'msg': msg}
###### PMathML input ######
@@ -255,20 +267,18 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
# if DEBUG: msg += '<p/> mmlans=%s' % repr(mmlans).replace('<','&lt;')
try:
fsym = f.sympy
msg += '<p>You entered: %s</p>' % to_latex(f.sympy)
msg += HTML('<p>You entered: {sympy}</p>').format(sympy=to_latex(f.sympy))
except Exception as err:
log.exception("Error evaluating expression '%s' as a valid equation", ans)
msg += "<p>Error in evaluating your expression '%s' as a valid equation</p>" % (ans)
msg += HTML("<p>Error in evaluating your expression '{ans}' as a valid equation</p>").format(ans=ans)
if "Illegal math" in str(err):
msg += "<p>Illegal math expression</p>"
msg += HTML("<p>Illegal math expression</p>")
if DEBUG:
msg += 'Error: %s' % str(err).replace('<', '&lt;')
msg += '<hr>'
msg += '<p><font color="blue">DEBUG messages:</p>'
msg += "<p><pre>%s</pre></p>" % traceback.format_exc()
msg += '<p>cmathml=<pre>%s</pre></p>' % f.cmathml.replace('<', '&lt;')
msg += '<p>pmathml=<pre>%s</pre></p>' % mmlans.replace('<', '&lt;')
msg += '<hr>'
msg += HTML('Error: {err}<hr><p><font color="blue">DEBUG messages:</p><p><pre>{format_exc}</pre></p>'
'<p>cmathml=<pre>{cmathml}</pre></p><p>pmathml=<pre>{pmathml}</pre></p><hr>').format(
err=escape(str(err)), format_exc=traceback.format_exc(), cmathml=escape(f.cmathml),
pmathml=escape(mmlans)
)
return {'ok': False, 'msg': make_error_message(msg)}
# do numerical comparison with expected
@@ -277,9 +287,9 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
if abs(abs(fsym - fexpect) / fexpect) < threshold:
return {'ok': True, 'msg': msg}
return {'ok': False, 'msg': msg}
msg += "<p>Expecting a numerical answer!</p>"
msg += "<p>given = %s</p>" % repr(ans)
msg += "<p>fsym = %s</p>" % repr(fsym)
msg += HTML("<p>Expecting a numerical answer!</p><p>given = {ans}</p><p>fsym = {fsym}</p>").format(
ans=repr(ans), fsym=repr(fsym)
)
# msg += "<p>cmathml = <pre>%s</pre></p>" % str(f.cmathml).replace('<','&lt;')
return {'ok': False, 'msg': make_error_message(msg)}
@@ -297,12 +307,12 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
if abs(dm.vec().norm().evalf()) < threshold:
return {'ok': True, 'msg': msg}
except sympy.ShapeError:
msg += "<p>Error - your input vector or matrix has the wrong dimensions"
msg += HTML("<p>Error - your input vector or matrix has the wrong dimensions")
return {'ok': False, 'msg': make_error_message(msg)}
except Exception as err:
msg += "<p>Error %s in comparing expected (a list) and your answer</p>" % str(err).replace('<', '&lt;')
msg += HTML("<p>Error %s in comparing expected (a list) and your answer</p>").format(escape(str(err)))
if DEBUG:
msg += "<p/><pre>%s</pre>" % traceback.format_exc()
msg += HTML("<p/><pre>{format_exc}</pre>").format(format_exc=traceback.format_exc())
return {'ok': False, 'msg': make_error_message(msg)}
#diff = (fexpect-fsym).simplify()
@@ -314,15 +324,13 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
diff = None
if DEBUG:
msg += '<hr>'
msg += '<p><font color="blue">DEBUG messages:</p>'
msg += "<p>Got: %s</p>" % repr(fsym)
msg += HTML('<hr><p><font color="blue">DEBUG messages:</p><p>Got: {fsym}</p><p>Expecting: {fexpect}</p>')\
.format(fsym=repr(fsym), fexpect=repr(fexpect).replace('**', '^').replace('hat(I)', 'hat(i)'))
# msg += "<p/>Got: %s" % str([type(x) for x in fsym.atoms()]).replace('<','&lt;')
msg += "<p>Expecting: %s</p>" % repr(fexpect).replace('**', '^').replace('hat(I)', 'hat(i)')
# msg += "<p/>Expecting: %s" % str([type(x) for x in fexpect.atoms()]).replace('<','&lt;')
if diff:
msg += "<p>Difference: %s</p>" % to_latex(diff)
msg += '<hr>'
msg += HTML("<p>Difference: {diff}</p>").format(diff=to_latex(diff))
msg += HTML('<hr>')
# Used to return more keys: 'ex': fexpect, 'got': fsym
return {'ok': False, 'msg': msg}

28
common/static/js/capa/drag_and_drop/base_image.js
View File

@@ -1,21 +1,14 @@
(function(requirejs, require, define) {
define([], function() {
define(['edx-ui-toolkit/js/utils/html-utils'], function(HtmlUtils) {
return BaseImage;
function BaseImage(state) {
var $baseImageElContainer;
$baseImageElContainer = $(
'<div ' +
'class="base_image_container" ' +
'style=" ' +
'position: relative; ' +
'margin-bottom: 25px; ' +
'margin-left: auto; ' +
'margin-right: auto; ' +
'" ' +
'></div>'
);
$baseImageElContainer = $(HtmlUtils.joinHtml(
HtmlUtils.HTML('<div class="base_image_container" style=" position: relative; margin-bottom: 25px; '),
HtmlUtils.HTML('margin-left: auto; margin-right: auto; " ></div>')
).toString());
state.baseImageEl = $('<img />', {
alt: gettext('Drop target image')
@@ -38,12 +31,13 @@
state.baseImageLoaded = true;
});
state.baseImageEl.error(function() {
var errorMsg = HtmlUtils.joinHtml(
HtmlUtils.HTML('<span style="color: red;">'),
HtmlUtils.HTML('ERROR: Image "'), state.config.baseImage, HtmlUtils.HTML('" was not found!'),
HtmlUtils.HTML('</span>')
);
console.log('ERROR: Image "' + state.config.baseImage + '" was not found!');
$baseImageElContainer.html(
'<span style="color: red;">' +
'ERROR: Image "' + state.config.baseImage + '" was not found!' +
'</span>'
);
HtmlUtils.setHtml($baseImageElContainer, errorMsg);
$baseImageElContainer.appendTo(state.containerEl);
});
}

37
common/test/test_sites/test_site/templates/static_templates/contact.html
View File

@@ -4,6 +4,8 @@
<%!
from django.utils.translation import ugettext as _
from django.urls import reverse
from openedx.core.djangolib.markup import HTML, Text
%>
<%block name="title"><title>${_("Contact {platform_name}").format(platform_name=settings.PLATFORM_NAME)}</title></%block>
@@ -25,39 +27,40 @@ from django.urls import reverse
<p>${_("We are always seeking feedback to improve our courses. If you are an enrolled student and have any questions, feedback, suggestions, or any other issues specific to a particular class, please post on the discussion forums of that class.")}</p>
<h2>${_("General Inquiries and Feedback")}</h2>
<p>${_('If you have a general question about {platform_name} please email {email}. To see if your question has already been answered, visit our {faq_link_start}FAQ page{faq_link_end}. You can also join the discussion on our {fb_link_start}facebook page{fb_link_end}. Though we may not have a chance to respond to every email, we take all feedback into consideration.').format(
<p>${Text(_('If you have a general question about {platform_name} please email {email}. To see if your question has already been answered, visit our {faq_link_start}FAQ page{faq_link_end}. You can also join the discussion on our {fb_link_start}facebook page{fb_link_end}. Though we may not have a chance to respond to every email, we take all feedback into consideration.')).format(
platform_name=settings.PLATFORM_NAME,
email='<a href="mailto:{contact_email}">{contact_email}</a>'.format(contact_email=settings.CONTACT_EMAIL),
faq_link_start='<a href="{url}">'.format(url=reverse('faq_edx')),
faq_link_end='</a>',
fb_link_start='<a href="http://www.facebook.com/EdxOnline">',
fb_link_end='</a>'
email=HTML('<a href="mailto:{contact_email}">{contact_email}</a>').format(contact_email=settings.CONTACT_EMAIL),
faq_link_start=HTML('<a href="{url}">').format(url=reverse('faq_edx')),
faq_link_end=HTML('</a>'),
fb_link_start=HTML('<a href="http://www.facebook.com/EdxOnline">'),
fb_link_end=HTML('</a>')
)}</p>
<h2>${_("Technical Inquiries and Feedback")}</h2>
<p>${_('If you have suggestions/feedback about the overall {platform_name} platform, or are facing general technical issues with the platform (e.g., issues with email addresses and passwords), you can reach us at {tech_email}. For technical questions, please make sure you are using a current version of Firefox or Chrome, and include browser and version in your e-mail, as well as screenshots or other pertinent details. If you find a bug or other issues, you can reach us at the following: {bug_email}.').format(
<p>${Text(_('If you have suggestions/feedback about the overall {platform_name} platform, or are facing general technical issues with the platform (e.g., issues with email addresses and passwords), you can reach us at {tech_email}. For technical questions, please make sure you are using a current version of Firefox or Chrome, and include browser and version in your e-mail, as well as screenshots or other pertinent details. If you find a bug or other issues, you can reach us at the following: {bug_email}.')).format(
platform_name=settings.PLATFORM_NAME,
tech_email='<a href="mailto:{tech_support_email}">{tech_support_email}</a>'.format(tech_support_email=settings.TECH_SUPPORT_EMAIL),
bug_email='<a href="mailto:{bugs_email}">{bugs_email}</a>'.format(bugs_email=settings.BUGS_EMAIL)
tech_email=HTML('<a href="mailto:{tech_support_email}">{tech_support_email}</a>').format(tech_support_email=settings.TECH_SUPPORT_EMAIL),
bug_email=HTML('<a href="mailto:{bugs_email}">{bugs_email}</a>').format(bugs_email=settings.BUGS_EMAIL)
)}</p>
<h2>${_("Media")}</h2>
<p>${_('Please visit our {link_start}media/press page{link_end} for more information. For any media or press inquiries, please email {email}.').format(
link_start='<a href="{url}">'.format(url=reverse('faq_edx')),
link_end='</a>',
email='<a href="mailto:{email}">{email}</a>'.format(email="press@edx.org"),
<p>${Text(_('Please visit our {link_start}media/press page{link_end} for more information. For any media or press inquiries, please email {email}.')).format(
link_start=HTML('<a href="{url}">').format(url=reverse('faq_edx')),
link_end=HTML('</a>'),
email=HTML('<a href="mailto:{email}">{email}</a>').format(email="press@edx.org"),
)}</p>
<h2>${_("Universities")}</h2>
<p>${_('If you are a university wishing to collaborate or you have questions about {platform_name}, please email {email}.'.format(
<p>${Text(_('If you are a university wishing to collaborate or you have questions about {platform_name}, please email {email}.')).format(
platform_name="edX",
email='<a href="mailto:{email}">{email}</a>'.format(
email=HTML('<a href="mailto:{email}">{email}</a>').format(
email="university@edx.org"
)
))}</p>
)}</p>
<h2>${_("Accessibility")}</h2>
<p>${_('{platform_name} strives to create an innovative online-learning platform that promotes accessibility for everyone, including students with disabilities. We are dedicated to improving the accessibility of the platform and welcome your comments or questions at {email}.'.format(platform_name="EdX", email='<a href="mailto:{email}">{email}</a>'.format(email="accessibility@edx.org")))}</p>
<p>${Text(_('{platform_name} strives to create an innovative online-learning platform that promotes accessibility for everyone, including students with disabilities. We are dedicated to improving the accessibility of the platform and welcome your comments or questions at {email}.')).format(
platform_name="EdX", email=HTML('<a href="mailto:{email}">{email}</a>').format(email="accessibility@edx.org"))}</p>
</div>
</section>
</section>

2
lms/static/js/instructor_dashboard/student_admin.js
View File

@@ -153,7 +153,7 @@
delete_module: false
};
successMessage = gettext("Success! Problem attempts reset for problem '<%- problem_id %>' and student '<%- student_id %>'."); // eslint-disable-line max-len
errorMessage = gettext("Error resetting problem attempts for problem '<%= problem_id %>' and student '<%- student_id %>'. Make sure that the problem and student identifiers are complete and correct."); // eslint-disable-line max-len
errorMessage = gettext("Error resetting problem attempts for problem '<%- problem_id %>' and student '<%- student_id %>'. Make sure that the problem and student identifiers are complete and correct."); // eslint-disable-line max-len
fullSuccessMessage = _.template(successMessage)({
problem_id: problemToReset,
student_id: uniqStudentIdentifier