From f336d0490c4c8b1c6f5f3cf7f015f9b02f9f94c3 Mon Sep 17 00:00:00 2001 From: Waheed Ahmed Date: Fri, 8 Aug 2014 12:38:12 +0500 Subject: [PATCH] Html escaped from display name in xblock. LMS-11194 --- .../contentstore/features/course-outline.feature | 2 +- .../contentstore/features/course-outline.py | 2 +- .../contentstore/features/problem-editor.feature | 6 ++++++ .../contentstore/features/problem-editor.py | 16 ++++++++++++++++ common/lib/xmodule/xmodule/x_module.py | 2 +- 5 files changed, 25 insertions(+), 3 deletions(-) diff --git a/cms/djangoapps/contentstore/features/course-outline.feature b/cms/djangoapps/contentstore/features/course-outline.feature index 67efc84588..2fc93c2c6e 100644 --- a/cms/djangoapps/contentstore/features/course-outline.feature +++ b/cms/djangoapps/contentstore/features/course-outline.feature @@ -25,7 +25,7 @@ Feature: CMS.Course Outline Scenario: Collapse link is removed after last section of a course is deleted Given I have a course with 1 section And I navigate to the course outline page - And I press the "section" delete icon + And I press the section delete icon When I will confirm all alerts Then I do not see the "Collapse All Sections" link diff --git a/cms/djangoapps/contentstore/features/course-outline.py b/cms/djangoapps/contentstore/features/course-outline.py index f9ceb6ff68..a5f4da0731 100644 --- a/cms/djangoapps/contentstore/features/course-outline.py +++ b/cms/djangoapps/contentstore/features/course-outline.py @@ -67,7 +67,7 @@ def i_add_a_section(step): add_section() -@step(u'I press the "section" delete icon') +@step(u'I press the section delete icon') def i_press_the_section_delete_icon(step): delete_locator = 'section .outline-section > .section-header a.delete-button' world.css_click(delete_locator) diff --git a/cms/djangoapps/contentstore/features/problem-editor.feature b/cms/djangoapps/contentstore/features/problem-editor.feature index 4b3292665c..0891e9de99 100644 --- a/cms/djangoapps/contentstore/features/problem-editor.feature +++ b/cms/djangoapps/contentstore/features/problem-editor.feature @@ -30,6 +30,12 @@ Feature: CMS.Problem Editor Then I can revert the display name to unset And my display name is unset on save + Scenario: User can specify html in display name and it will be escaped + Given I have created a Blank Common Problem + When I edit and select Settings + Then I can specify html in the display name and save + And the problem display name is "" + # IE will not click the revert button properly @skip_internetexplorer Scenario: User can select values in a Select diff --git a/cms/djangoapps/contentstore/features/problem-editor.py b/cms/djangoapps/contentstore/features/problem-editor.py index 65cf8c5e95..c49535b3de 100644 --- a/cms/djangoapps/contentstore/features/problem-editor.py +++ b/cms/djangoapps/contentstore/features/problem-editor.py @@ -133,6 +133,18 @@ def i_can_modify_the_display_name_with_special_chars(_step): verify_modified_display_name_with_special_chars() +@step('I can specify html in the display name and save') +def i_can_modify_the_display_name_with_html(_step): + """ + If alert appear on save then UnexpectedAlertPresentException + will occur and test will fail. + """ + index = world.get_setting_entry_index(DISPLAY_NAME) + world.set_field_value(index, "") + verify_modified_display_name_with_html() + world.save_component() + + @step('my special characters and persisted on save') def special_chars_persisted_on_save(step): world.save_component_and_reopen(step) @@ -350,6 +362,10 @@ def verify_modified_display_name_with_special_chars(): world.verify_setting_entry(world.get_setting_entry(DISPLAY_NAME), DISPLAY_NAME, "updated ' \" &", True) +def verify_modified_display_name_with_html(): + world.verify_setting_entry(world.get_setting_entry(DISPLAY_NAME), DISPLAY_NAME, "", True) + + def verify_unset_display_name(): world.verify_setting_entry(world.get_setting_entry(DISPLAY_NAME), DISPLAY_NAME, 'Blank Advanced Problem', False) diff --git a/common/lib/xmodule/xmodule/x_module.py b/common/lib/xmodule/xmodule/x_module.py index 010e2c1fd0..fd560814ea 100644 --- a/common/lib/xmodule/xmodule/x_module.py +++ b/common/lib/xmodule/xmodule/x_module.py @@ -231,7 +231,7 @@ class XModuleMixin(XBlockMixin): name = self.display_name if name is None: name = self.url_name.replace('_', ' ') - return name + return name.replace('<', '<').replace('>', '>') @property def xblock_kvs(self):