Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS lint issues for course_cta_text

Browse Source 
PROD-1602
This commit is contained in:
Waheed Ahmed
2020-05-19 13:52:39 +05:00
parent ead8e35b5e
commit c7f4e16470
12 changed files with 67 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
common/djangoapps/student/tests/test_email.py
View File

@@ -14,6 +14,7 @@ from django.http import HttpResponse
from django.test import TransactionTestCase, override_settings
from django.test.client import RequestFactory
from django.urls import reverse
from django.utils.html import escape
from mock import Mock, patch
from six import text_type
@@ -600,9 +601,7 @@ class SecondaryEmailChangeRequestTests(EventTestMixin, EmailTemplateTagMixin, Ca
self._assert_email(
subject=u'Confirm your recovery email for édX',
body_fragments=[
u'You\'ve registered this recovery email address for édX.'.format(
new_email=new_email,
),
u'You\'ve registered this recovery email address for édX.',
u'If you set this email address, click "confirm email."',
u'If you didn\'t request this change, you can disregard this email.',
u'http://edx.org/activate_secondary_email/{key}'.format(key=registration_key),
@@ -623,6 +622,6 @@ class SecondaryEmailChangeRequestTests(EventTestMixin, EmailTemplateTagMixin, Ca
assert message.subject == subject
for body in text, html:
for fragment in body_fragments:
assert fragment in body
for fragment in body_fragments:
assert fragment in text
assert escape(fragment) in html

4
common/templates/student/edx_ace/accountactivation/email/body.html
View File

@@ -29,7 +29,9 @@
<br />
</p>
{% trans "Activate Your Account" as course_cta_text %}{{ course_cta_text | force_escape }}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Activate Your Account{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=confirm_activation_link %}
</td>
</tr>

5
common/templates/student/edx_ace/accountrecovery/email/body.html
View File

@@ -34,9 +34,10 @@
{% trans "If you didn't request this change, you can disregard this email - we have not yet reset your password." as tmsg %}{{ tmsg | force_escape }}
<br />
</p>
{# xss-lint: disable=django-trans-missing-escape #}
{% trans "Create Password" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Create Password{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=reset_link %}
</td>
</tr>

6
common/templates/student/edx_ace/emailchange/email/body.html
View File

@@ -15,8 +15,10 @@
{% endfilter %}
<br />
</p>
{# xss-lint: disable=django-trans-missing-escape #}
{% trans "Confirm Email Change" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Confirm Email Change{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=confirm_link %}
<p style="color: rgba(0,0,0,.75);">

10
common/templates/student/edx_ace/recoveryemailcreate/email/body.html
View File

@@ -7,16 +7,22 @@
<tr>
<td>
<h1>
{% trans "Create Recovery Email" %}
{% trans "Create Recovery Email" as create_recovery_text %}{{ create_recovery_text | force_escape }}
</h1>
<p style="color: rgba(0,0,0,.75);">
{% filter force_escape %}
{% blocktrans %}You've registered this recovery email address for {{ platform_name }}.{% endblocktrans %}
{% endfilter %}
<br/>
{% filter force_escape %}
{% blocktrans %}If you set this email address, click "confirm email." If you didn't request this change, you can disregard this email.{% endblocktrans %}
{% endfilter %}
<br />
</p>
{% trans "Confirm Email" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Confirm Email{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=confirm_link %}
</td>

11
lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html
View File

@@ -7,9 +7,12 @@
<tr>
<td>
<p>
{% blocktrans trimmed %}
{{ comment_username }} replied to <b>{{ thread_title }}</b>:
{% filter force_escape %}
{% blocktrans trimmed asvar replied_to_text %}
{{ comment_username }} replied to
{% endblocktrans %}
{% endfilter %}
{{ replied_to_text }} <b>{{ thread_title }}</b>:
</p>
<div style="border-left: 1px solid rgba(0,0,0,0.25);
padding: 1px 1px 1px 15px;
@@ -18,7 +21,9 @@
{{ comment_body }}
</div>
{% trans "View discussion" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}View discussion{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=post_link%}
{% block google_analytics_pixel %}

4
lms/templates/instructor/edx_ace/enrollenrolled/email/body.html
View File

@@ -21,7 +21,9 @@
<br />
</p>
{% trans "Access the Course Materials Now" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Access the Course Materials Now{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=course_url %}
<p style="color: rgba(0,0,0,.75);">

6
openedx/core/djangoapps/schedules/templates/schedules/edx_ace/courseupdate/email/body.html
View File

@@ -35,8 +35,10 @@
{% endblocktrans %}
{% endfilter %}
</p>
{# xss-lint: disable=django-trans-missing-escape #}
{% trans "Resume your course now" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Resume your course now{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%}
{% include "ace_common/edx_ace/common/upsell_cta.html"%}

6
openedx/core/djangoapps/schedules/templates/schedules/edx_ace/instructorledcourseupdate/email/body.html
View File

@@ -34,8 +34,10 @@
{% endblocktrans %}
{% endfilter %}
</p>
{# xss-lint: disable=django-trans-missing-escape #}
{% trans "Resume your course now" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Resume your course now{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%}
{% include "ace_common/edx_ace/common/upsell_cta.html"%}

6
openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day10/email/body.html
View File

@@ -42,8 +42,10 @@
{% interpolate_html tmsg start_strong='<strong>'|safe end_strong='</strong>'|safe course_name=course_name|force_escape|safe platform_name=platform_name|force_escape|safe %}
{% endif %}
</p>
{# xss-lint: disable=django-trans-missing-escape #}
{% trans "Keep learning" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Keep learning{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%}
{% include "ace_common/edx_ace/common/upsell_cta.html"%}

6
openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day3/email/body.html
View File

@@ -41,8 +41,10 @@
{% interpolate_html tmsg start_strong='<strong>'|safe end_strong='</strong>'|safe course_name=course_name|force_escape|safe platform_name=platform_name|force_escape|safe %}
{% endif %}
</p>
{# xss-lint: disable=django-trans-missing-escape #}
{% trans "Start learning now" as course_cta_text %}
{% filter force_escape %}
{% blocktrans asvar course_cta_text %}Start learning now{% endblocktrans %}
{% endfilter %}
{% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%}
{% include "ace_common/edx_ace/common/upsell_cta.html"%}

34
scripts/xsslint_thresholds.json
View File

@@ -1,19 +1,19 @@
{
"rules": {
"javascript-concat-html": 142,
"javascript-escape": 7,
"javascript-interpolate": 23,
"javascript-jquery-append": 68,
"javascript-jquery-html": 146,
"javascript-concat-html": 100,
"javascript-escape": 5,
"javascript-interpolate": 9,
"javascript-jquery-append": 50,
"javascript-jquery-html": 112,
"javascript-jquery-insert-into-target": 18,
"javascript-jquery-insertion": 19,
"javascript-jquery-prepend": 6,
"javascript-jquery-insertion": 14,
"javascript-jquery-prepend": 5,
"mako-html-entities": 0,
"mako-invalid-html-filter": 7,
"mako-invalid-js-filter": 59,
"mako-invalid-html-filter": 5,
"mako-invalid-js-filter": 20,
"mako-js-html-string": 0,
"mako-js-missing-quotes": 0,
"mako-missing-default": 83,
"mako-missing-default": 67,
"mako-multiple-page-tags": 0,
"mako-unknown-context": 0,
"mako-unparseable-expression": 0,
@@ -22,20 +22,20 @@
"python-concat-html": 0,
"python-custom-escape": 5,
"python-deprecated-display-name": 4,
"python-interpolate-html": 26,
"python-interpolate-html": 23,
"python-parse-error": 0,
"python-requires-html-or-text": 0,
"python-wrap-html": 68,
"underscore-not-escaped": 437,
"django-trans-missing-escape": 18,
"python-wrap-html": 32,
"underscore-not-escaped": 399,
"django-trans-missing-escape": 13,
"django-trans-invalid-escape-filter": 0,
"django-trans-escape-variable-mismatch": 0,
"django-blocktrans-missing-escape-filter": 12,
"django-blocktrans-missing-escape-filter": 7,
"django-blocktrans-parse-error": 0,
"django-blocktrans-escape-filter-parse-error": 0,
"django-html-interpolation-missing-safe-filter": 0,
"django-html-interpolation-missing": 1,
"django-html-interpolation-missing": 0,
"django-html-interpolation-invalid-tag": 0
},
"total": 1150
"total": 888
}