Merge pull request #5097 from edx/hotfix/2014-09-05b
Hotfix/2014 09 05b
This commit is contained in:
Adam
@@ -124,6 +124,32 @@ describe "DiscussionThreadView", ->
|
||||
expect($(".post-body").text()).toEqual(expectedAbbreviation)
|
||||
expect(DiscussionThreadShowView.prototype.convertMath).toHaveBeenCalled()
|
||||
|
||||
it "strips script tags appropriately", ->
|
||||
DiscussionViewSpecHelper.setNextResponseContent({resp_total: 0, children: []})
|
||||
longMaliciousBody = new Array(100).join("<script>alert('Until they think warm days will never cease');</script>\n")
|
||||
@thread.set("body", longMaliciousBody)
|
||||
maliciousAbbreviation = DiscussionUtil.abbreviateString(@thread.get('body'), 140)
|
||||
|
||||
# The nodes' html should be different than the strings, but
|
||||
# their texts should be the same, indicating that they've been
|
||||
# properly escaped. To be safe, make sure the string "<script"
|
||||
# isn't present, either
|
||||
|
||||
@view.render()
|
||||
expect($(".post-body").html()).not.toEqual(maliciousAbbreviation)
|
||||
expect($(".post-body").text()).toEqual(maliciousAbbreviation)
|
||||
expect($(".post-body").html()).not.toContain("<script")
|
||||
|
||||
@view.expand()
|
||||
expect($(".post-body").html()).not.toEqual(longMaliciousBody)
|
||||
expect($(".post-body").text()).toEqual(longMaliciousBody)
|
||||
expect($(".post-body").html()).not.toContain("<script")
|
||||
|
||||
@view.collapse()
|
||||
expect($(".post-body").html()).not.toEqual(maliciousAbbreviation)
|
||||
expect($(".post-body").text()).toEqual(maliciousAbbreviation)
|
||||
expect($(".post-body").html()).not.toContain("<script")
|
||||
|
||||
describe "for question threads", ->
|
||||
beforeEach ->
|
||||
@thread.set("thread_type", "question")
|
||||
|
||||
@@ -62,7 +62,7 @@ if Backbone?
|
||||
if event
|
||||
event.preventDefault()
|
||||
@$el.addClass("expanded")
|
||||
@$el.find(".post-body").html(@model.get("body"))
|
||||
@$el.find(".post-body").text(@model.get("body"))
|
||||
@showView.convertMath()
|
||||
@$el.find(".forum-thread-expand").hide()
|
||||
@$el.find(".forum-thread-collapse").show()
|
||||
@@ -74,7 +74,7 @@ if Backbone?
|
||||
if event
|
||||
event.preventDefault()
|
||||
@$el.removeClass("expanded")
|
||||
@$el.find(".post-body").html(@getAbbreviatedBody())
|
||||
@$el.find(".post-body").text(@getAbbreviatedBody())
|
||||
@showView.convertMath()
|
||||
@$el.find(".forum-thread-expand").show()
|
||||
@$el.find(".forum-thread-collapse").hide()
|
||||
|
||||
@@ -99,7 +99,6 @@
|
||||
<tr class="coupons-headings">
|
||||
<th class="c_code">${_("Code")}</th>
|
||||
<th class="c_dsc">${_("Description")}</th>
|
||||
<th class="c_course_id">${_("Course_id")}</th>
|
||||
<th class="c_discount">${_("Discount (%)")}</th>
|
||||
<th class="c_count">${_("Count")}</th>
|
||||
<th class="c_action">${_("Actions")}</th>
|
||||
@@ -114,7 +113,6 @@
|
||||
%endif
|
||||
<td>${coupon.code}</td>
|
||||
<td>${coupon.description}</td>
|
||||
<td>${coupon.course_id.to_deprecated_string()}</td>
|
||||
<td>${coupon.percentage_discount}</td>
|
||||
<td>
|
||||
${ coupon.couponredemption_set.all().count() }
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
<%! from django.utils.translation import ugettext as _ %>
|
||||
<%! from django.core.urlresolvers import reverse %>
|
||||
<%! from django.conf import settings %>
|
||||
<%! from microsite_configuration import microsite %>
|
||||
|
||||
<%inherit file="../main.html" />
|
||||
|
||||
@@ -22,7 +23,7 @@
|
||||
<section class="wrapper cart-list">
|
||||
<div class="wrapper-content-main">
|
||||
<article class="content-main">
|
||||
<h1>${_(settings.PLATFORM_NAME + " (" + settings.SITE_NAME + ")" + " Electronic Receipt")}</h1>
|
||||
<h1>${_("{platform_name} ({site_name}) Electronic Receipt").format(platform_name=microsite.get_value('platform_name', settings.PLATFORM_NAME), site_name=microsite.get_value('SITE_NAME', settings.SITE_NAME))}</h1>
|
||||
<hr />
|
||||
|
||||
<table class="order-receipt">
|
||||
|
||||
Reference in New Issue
Block a user