diff --git a/common/djangoapps/student/tests/test_email.py b/common/djangoapps/student/tests/test_email.py index cf0e484e33..921d64869a 100644 --- a/common/djangoapps/student/tests/test_email.py +++ b/common/djangoapps/student/tests/test_email.py @@ -14,6 +14,7 @@ from django.http import HttpResponse from django.test import TransactionTestCase, override_settings from django.test.client import RequestFactory from django.urls import reverse +from django.utils.html import escape from mock import Mock, patch from six import text_type @@ -600,9 +601,7 @@ class SecondaryEmailChangeRequestTests(EventTestMixin, EmailTemplateTagMixin, Ca self._assert_email( subject=u'Confirm your recovery email for édX', body_fragments=[ - u'You\'ve registered this recovery email address for édX.'.format( - new_email=new_email, - ), + u'You\'ve registered this recovery email address for édX.', u'If you set this email address, click "confirm email."', u'If you didn\'t request this change, you can disregard this email.', u'http://edx.org/activate_secondary_email/{key}'.format(key=registration_key), @@ -623,6 +622,6 @@ class SecondaryEmailChangeRequestTests(EventTestMixin, EmailTemplateTagMixin, Ca assert message.subject == subject - for body in text, html: - for fragment in body_fragments: - assert fragment in body + for fragment in body_fragments: + assert fragment in text + assert escape(fragment) in html diff --git a/common/templates/student/edx_ace/accountactivation/email/body.html b/common/templates/student/edx_ace/accountactivation/email/body.html index d6970cbba9..6a217b7b77 100644 --- a/common/templates/student/edx_ace/accountactivation/email/body.html +++ b/common/templates/student/edx_ace/accountactivation/email/body.html @@ -29,7 +29,9 @@

- {% trans "Activate Your Account" as course_cta_text %}{{ course_cta_text | force_escape }} + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Activate Your Account{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=confirm_activation_link %} diff --git a/common/templates/student/edx_ace/accountrecovery/email/body.html b/common/templates/student/edx_ace/accountrecovery/email/body.html index 5896ed446d..448d84a438 100644 --- a/common/templates/student/edx_ace/accountrecovery/email/body.html +++ b/common/templates/student/edx_ace/accountrecovery/email/body.html @@ -34,9 +34,10 @@ {% trans "If you didn't request this change, you can disregard this email - we have not yet reset your password." as tmsg %}{{ tmsg | force_escape }}

- {# xss-lint: disable=django-trans-missing-escape #} - {% trans "Create Password" as course_cta_text %} + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Create Password{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=reset_link %} diff --git a/common/templates/student/edx_ace/emailchange/email/body.html b/common/templates/student/edx_ace/emailchange/email/body.html index 68ac4237b9..b5c2c5edf2 100644 --- a/common/templates/student/edx_ace/emailchange/email/body.html +++ b/common/templates/student/edx_ace/emailchange/email/body.html @@ -15,8 +15,10 @@ {% endfilter %}

- {# xss-lint: disable=django-trans-missing-escape #} - {% trans "Confirm Email Change" as course_cta_text %} + + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Confirm Email Change{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=confirm_link %}

diff --git a/common/templates/student/edx_ace/recoveryemailcreate/email/body.html b/common/templates/student/edx_ace/recoveryemailcreate/email/body.html index 4f4d06b383..dff24fc4f4 100644 --- a/common/templates/student/edx_ace/recoveryemailcreate/email/body.html +++ b/common/templates/student/edx_ace/recoveryemailcreate/email/body.html @@ -7,16 +7,22 @@

- {% trans "Create Recovery Email" %} + {% trans "Create Recovery Email" as create_recovery_text %}{{ create_recovery_text | force_escape }}

+ {% filter force_escape %} {% blocktrans %}You've registered this recovery email address for {{ platform_name }}.{% endblocktrans %} + {% endfilter %}
+ {% filter force_escape %} {% blocktrans %}If you set this email address, click "confirm email." If you didn't request this change, you can disregard this email.{% endblocktrans %} + {% endfilter %}

- {% trans "Confirm Email" as course_cta_text %} + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Confirm Email{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=confirm_link %} diff --git a/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html b/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html index 5bdcdb9074..71c88ae73f 100644 --- a/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html +++ b/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html @@ -7,9 +7,12 @@

- {% blocktrans trimmed %} - {{ comment_username }} replied to {{ thread_title }}: + {% filter force_escape %} + {% blocktrans trimmed asvar replied_to_text %} + {{ comment_username }} replied to {% endblocktrans %} + {% endfilter %} + {{ replied_to_text }} {{ thread_title }}:

- {% trans "Access the Course Materials Now" as course_cta_text %} + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Access the Course Materials Now{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=course_url %}

diff --git a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/courseupdate/email/body.html b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/courseupdate/email/body.html index 545a165ba7..fd43f9933b 100644 --- a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/courseupdate/email/body.html +++ b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/courseupdate/email/body.html @@ -35,8 +35,10 @@ {% endblocktrans %} {% endfilter %}

- {# xss-lint: disable=django-trans-missing-escape #} - {% trans "Resume your course now" as course_cta_text %} + + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Resume your course now{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%} {% include "ace_common/edx_ace/common/upsell_cta.html"%} diff --git a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/instructorledcourseupdate/email/body.html b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/instructorledcourseupdate/email/body.html index d74c2847bb..e569348b77 100644 --- a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/instructorledcourseupdate/email/body.html +++ b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/instructorledcourseupdate/email/body.html @@ -34,8 +34,10 @@ {% endblocktrans %} {% endfilter %}

- {# xss-lint: disable=django-trans-missing-escape #} - {% trans "Resume your course now" as course_cta_text %} + + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Resume your course now{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%} {% include "ace_common/edx_ace/common/upsell_cta.html"%} diff --git a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day10/email/body.html b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day10/email/body.html index 4aafbc7a1d..8dc820d6dd 100644 --- a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day10/email/body.html +++ b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day10/email/body.html @@ -42,8 +42,10 @@ {% interpolate_html tmsg start_strong=''|safe end_strong=''|safe course_name=course_name|force_escape|safe platform_name=platform_name|force_escape|safe %} {% endif %}

- {# xss-lint: disable=django-trans-missing-escape #} - {% trans "Keep learning" as course_cta_text %} + + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Keep learning{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%} {% include "ace_common/edx_ace/common/upsell_cta.html"%} diff --git a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day3/email/body.html b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day3/email/body.html index 85a2076232..a936e911bf 100644 --- a/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day3/email/body.html +++ b/openedx/core/djangoapps/schedules/templates/schedules/edx_ace/recurringnudge_day3/email/body.html @@ -41,8 +41,10 @@ {% interpolate_html tmsg start_strong=''|safe end_strong=''|safe course_name=course_name|force_escape|safe platform_name=platform_name|force_escape|safe %} {% endif %}

- {# xss-lint: disable=django-trans-missing-escape #} - {% trans "Start learning now" as course_cta_text %} + + {% filter force_escape %} + {% blocktrans asvar course_cta_text %}Start learning now{% endblocktrans %} + {% endfilter %} {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text%} {% include "ace_common/edx_ace/common/upsell_cta.html"%} diff --git a/scripts/xsslint_thresholds.json b/scripts/xsslint_thresholds.json index 92dcf35764..f1e89e8adb 100644 --- a/scripts/xsslint_thresholds.json +++ b/scripts/xsslint_thresholds.json @@ -1,19 +1,19 @@ { "rules": { - "javascript-concat-html": 142, - "javascript-escape": 7, - "javascript-interpolate": 23, - "javascript-jquery-append": 68, - "javascript-jquery-html": 146, + "javascript-concat-html": 100, + "javascript-escape": 5, + "javascript-interpolate": 9, + "javascript-jquery-append": 50, + "javascript-jquery-html": 112, "javascript-jquery-insert-into-target": 18, - "javascript-jquery-insertion": 19, - "javascript-jquery-prepend": 6, + "javascript-jquery-insertion": 14, + "javascript-jquery-prepend": 5, "mako-html-entities": 0, - "mako-invalid-html-filter": 7, - "mako-invalid-js-filter": 59, + "mako-invalid-html-filter": 5, + "mako-invalid-js-filter": 20, "mako-js-html-string": 0, "mako-js-missing-quotes": 0, - "mako-missing-default": 83, + "mako-missing-default": 67, "mako-multiple-page-tags": 0, "mako-unknown-context": 0, "mako-unparseable-expression": 0, @@ -22,20 +22,20 @@ "python-concat-html": 0, "python-custom-escape": 5, "python-deprecated-display-name": 4, - "python-interpolate-html": 26, + "python-interpolate-html": 23, "python-parse-error": 0, "python-requires-html-or-text": 0, - "python-wrap-html": 68, - "underscore-not-escaped": 437, - "django-trans-missing-escape": 18, + "python-wrap-html": 32, + "underscore-not-escaped": 399, + "django-trans-missing-escape": 13, "django-trans-invalid-escape-filter": 0, "django-trans-escape-variable-mismatch": 0, - "django-blocktrans-missing-escape-filter": 12, + "django-blocktrans-missing-escape-filter": 7, "django-blocktrans-parse-error": 0, "django-blocktrans-escape-filter-parse-error": 0, "django-html-interpolation-missing-safe-filter": 0, - "django-html-interpolation-missing": 1, + "django-html-interpolation-missing": 0, "django-html-interpolation-invalid-tag": 0 }, - "total": 1150 + "total": 888 }