From 8f76f3385a24ba5abd595ee1887c935dffd16d0b Mon Sep 17 00:00:00 2001 From: Mushtaq Ali Date: Mon, 11 Jan 2016 17:24:06 +0500 Subject: [PATCH] Fix enrollment message --- .../contentstore/tests/test_contentstore.py | 2 +- .../student/tests/test_recent_enrollments.py | 27 ++++++++++++++++++- common/test/utils.py | 2 +- .../courseware/tests/test_course_survey.py | 2 +- .../tests/views/test_instructor_dashboard.py | 2 +- .../shoppingcart/tests/test_views.py | 4 +-- .../verify_student/tests/test_views.py | 8 +++--- .../enrollment/course_enrollment_message.html | 3 ++- 8 files changed, 38 insertions(+), 12 deletions(-) diff --git a/cms/djangoapps/contentstore/tests/test_contentstore.py b/cms/djangoapps/contentstore/tests/test_contentstore.py index 5b48ec8a81..4382c05764 100644 --- a/cms/djangoapps/contentstore/tests/test_contentstore.py +++ b/cms/djangoapps/contentstore/tests/test_contentstore.py @@ -1430,7 +1430,7 @@ class ContentStoreTest(ContentStoreTestCase, XssTestMixin): html = ''.format( name=xss ) - self.assert_xss(resp, html) + self.assert_no_xss(resp, html) def test_course_overview_view_with_course(self): """Test viewing the course overview page with an existing course""" diff --git a/common/djangoapps/student/tests/test_recent_enrollments.py b/common/djangoapps/student/tests/test_recent_enrollments.py index ec94f4868b..d518f3f2af 100644 --- a/common/djangoapps/student/tests/test_recent_enrollments.py +++ b/common/djangoapps/student/tests/test_recent_enrollments.py @@ -16,11 +16,12 @@ from xmodule.modulestore.tests.factories import CourseFactory from course_modes.tests.factories import CourseModeFactory from student.models import CourseEnrollment, DashboardConfiguration from student.views import get_course_enrollments, _get_recently_enrolled_courses +from common.test.utils import XssTestMixin @unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms') @ddt.ddt -class TestRecentEnrollments(ModuleStoreTestCase): +class TestRecentEnrollments(ModuleStoreTestCase, XssTestMixin): """ Unit tests for getting the list of courses for a logged in user """ @@ -126,6 +127,30 @@ class TestRecentEnrollments(ModuleStoreTestCase): response = self.client.get(reverse("dashboard")) self.assertContains(response, "Thank you for enrolling in") + def test_dashboard_escaped_rendering(self): + """ + Tests that the dashboard renders the escaped recent enrollment messages appropriately. + """ + self._configure_message_timeout(600) + self.client.login(username=self.student.username, password=self.PASSWORD) + + # New Course + course_location = locator.CourseLocator('TestOrg', 'TestCourse', 'TestRun') + xss_content = "" + course = CourseFactory.create( + org=course_location.org, + number=course_location.course, + run=course_location.run, + display_name=xss_content + ) + CourseEnrollment.enroll(self.student, course.id) + + response = self.client.get(reverse("dashboard")) + self.assertContains(response, "Thank you for enrolling in") + + # Check if response is escaped + self.assert_no_xss(response, xss_content) + @ddt.data( # Register as honor in any course modes with no payment option ([('audit', 0), ('honor', 0)], 'honor', True), diff --git a/common/test/utils.py b/common/test/utils.py index 4305b6e5fc..15d884913f 100644 --- a/common/test/utils.py +++ b/common/test/utils.py @@ -34,7 +34,7 @@ class XssTestMixin(object): Mixin for testing XSS vulnerabilities. """ - def assert_xss(self, response, xss_content): + def assert_no_xss(self, response, xss_content): """Assert that `xss_content` is not present in the content of `response`, and that its escaped version is present. Uses the same `markupsafe.escape` function as Mako templates. diff --git a/lms/djangoapps/courseware/tests/test_course_survey.py b/lms/djangoapps/courseware/tests/test_course_survey.py index 6094d06c7f..05f2386bff 100644 --- a/lms/djangoapps/courseware/tests/test_course_survey.py +++ b/lms/djangoapps/courseware/tests/test_course_survey.py @@ -233,4 +233,4 @@ class SurveyViewsTests(LoginEnrollmentTestCase, ModuleStoreTestCase, XssTestMixi kwargs={'course_id': unicode(self.course.id)} ) ) - self.assert_xss(response, '') + self.assert_no_xss(response, '') diff --git a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py index 8a40121fb7..685c44277b 100644 --- a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py +++ b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py @@ -113,7 +113,7 @@ class TestInstructorDashboard(ModuleStoreTestCase, LoginEnrollmentTestCase, XssT with script tags. """ response = self.client.get(self.url) - self.assert_xss(response, '') + self.assert_no_xss(response, '') @override_settings(PAID_COURSE_REGISTRATION_CURRENCY=['PKR', 'Rs']) def test_override_currency_settings_in_the_html_response(self): diff --git a/lms/djangoapps/shoppingcart/tests/test_views.py b/lms/djangoapps/shoppingcart/tests/test_views.py index 56ea2adff7..4a8454011b 100644 --- a/lms/djangoapps/shoppingcart/tests/test_views.py +++ b/lms/djangoapps/shoppingcart/tests/test_views.py @@ -938,7 +938,7 @@ class ShoppingCartViewsTests(SharedModuleStoreTestCase, XssTestMixin): self.login_user() url = reverse('shoppingcart.views.show_receipt', args=[self.cart.id]) resp = self.client.get(url) - self.assert_xss(resp, '') + self.assert_no_xss(resp, '') @patch('shoppingcart.views.render_to_response', render_mock) def test_reg_code_xss(self): @@ -954,7 +954,7 @@ class ShoppingCartViewsTests(SharedModuleStoreTestCase, XssTestMixin): redeem_url = reverse('register_code_redemption', args=[self.reg_code]) redeem_response = self.client.get(redeem_url) - self.assert_xss(redeem_response, '') + self.assert_no_xss(redeem_response, '') def test_show_receipt_json_multiple_items(self): # Two different item types diff --git a/lms/djangoapps/verify_student/tests/test_views.py b/lms/djangoapps/verify_student/tests/test_views.py index d1c8731855..54f808d152 100644 --- a/lms/djangoapps/verify_student/tests/test_views.py +++ b/lms/djangoapps/verify_student/tests/test_views.py @@ -301,7 +301,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin): response = self._get_page('verify_student_verify_now', course.id) self._assert_messaging(response, PayAndVerifyView.VERIFY_NOW_MSG) - self.assert_xss(response, '') + self.assert_no_xss(response, '') # Expect that *all* steps are displayed, # but we start after the payment step (because it's already completed). @@ -375,7 +375,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin): self._assert_messaging(response, PayAndVerifyView.PAYMENT_CONFIRMATION_MSG) - self.assert_xss(response, '') + self.assert_no_xss(response, '') # Expect that *all* steps are displayed, # but we start at the payment confirmation step @@ -410,7 +410,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin): self._assert_messaging(response, PayAndVerifyView.FIRST_TIME_VERIFY_MSG) - self.assert_xss(response, '') + self.assert_no_xss(response, '') # Expect that *all* steps are displayed, # but we start on the first verify step @@ -497,7 +497,7 @@ class TestPayAndVerifyView(UrlResetMixin, ModuleStoreTestCase, XssTestMixin): PayAndVerifyView.WEBCAM_REQ, ]) self._assert_upgrade_session_flag(True) - self.assert_xss(response, '') + self.assert_no_xss(response, '') def test_upgrade_already_verified(self): course = self._create_course("verified") diff --git a/lms/templates/enrollment/course_enrollment_message.html b/lms/templates/enrollment/course_enrollment_message.html index 713209cf26..45bc6112c0 100644 --- a/lms/templates/enrollment/course_enrollment_message.html +++ b/lms/templates/enrollment/course_enrollment_message.html @@ -1,4 +1,5 @@ -<%! from django.utils.translation import ugettext as _ %> +<%! from util.markup import ugettext as _ %> +<%page expression_filter="h"/> % for course_msg in course_enrollment_messages: