Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #11797 from edx/christina/fix-improper-escaping

Browse Source 
Fix improper escaping.
This commit is contained in:
Eric Fischer
2016-03-22 08:49:20 -04:00
parent 4f5589e356 358ed2559a
commit e2c4131a5d
4 changed files with 34 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cms/static/js/views/content_group_details.js
View File

@@ -75,18 +75,18 @@ define([
},
getOutlineAnchorMessage: function () {
var message = gettext(
var message = _.escape(gettext(
/*
Translators: 'outlineAnchor' is an anchor pointing to
the course outline page.
*/
'This content group is not in use. Add a content group to any unit from the %(outlineAnchor)s.'
),
)),
anchor = str.sprintf(
'<a href="%(url)s" title="%(text)s">%(text)s</a>',
{
url: this.model.collection.parents[0].outlineUrl,
text: gettext('Course Outline')
text: _.escape(gettext('Course Outline'))
}
);

25
cms/templates/js/content-group-details.underscore
View File

@@ -3,7 +3,7 @@
<h3 class="title">
<a href="#" class="toggle group-toggle <% if (showContentGroupUsages){ print('hide'); } else { print('show'); } %>-groups">
<i class="ui-toggle-expansion icon fa fa-caret-<% if (showContentGroupUsages){ print('down'); } else { print('right'); } %>"></i>
<%= name %>
<%- name %>
</a>
</h3>
</header>
@@ -11,28 +11,28 @@
<ol class="collection-info group-configuration-info group-configuration-info-<% if(showContentGroupUsages){ print('block'); } else { print('inline'); } %>">
<% if (!_.isUndefined(id)) { %>
<li class="group-configuration-id"
><span class="group-configuration-label"><%= gettext('ID') %>: </span
><span class="group-configuration-value"><%= id %></span
><span class="group-configuration-label"><%- gettext('ID') %>: </span
><span class="group-configuration-value"><%- id %></span
></li>
<% } %>
<% if (!showContentGroupUsages) { %>
<li class="group-configuration-usage-count">
<%= usageCountMessage %>
<%- usageCountMessage %>
</li>
<% } %>
</ol>
<ul class="actions group-configuration-actions">
<li class="action action-edit">
<button class="edit"><i class="icon fa fa-pencil"></i> <%= gettext("Edit") %></button>
<button class="edit"><i class="icon fa fa-pencil"></i> <%- gettext("Edit") %></button>
</li>
<% if (_.isEmpty(usage)) { %>
<li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Delete') %>">
<button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
<li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Delete') %>">
<button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
</li>
<% } else { %>
<li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Cannot delete when in use by a unit') %>">
<button class="delete action-icon is-disabled" aria-disabled="true" disabled="disabled"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
<li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Cannot delete when in use by a unit') %>">
<button class="delete action-icon is-disabled" aria-disabled="true" disabled="disabled"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
</li>
<% } %>
</ul>
@@ -41,17 +41,18 @@
<% if (showContentGroupUsages) { %>
<div class="collection-references wrapper-group-configuration-usages">
<% if (!_.isEmpty(usage)) { %>
<h4 class="intro group-configuration-usage-text"><%= gettext('This content group is used in:') %></h4>
<h4 class="intro group-configuration-usage-text"><%- gettext('This content group is used in:') %></h4>
<ol class="usage group-configuration-usage">
<% _.each(usage, function(unit) { %>
<li class="usage-unit group-configuration-usage-unit">
<p><a href=<%= unit.url %> ><%= unit.label %></a></p>
<p><a href=<%- unit.url %> ><%- unit.label %></a></p>
</li>
<% }) %>
</ol>
<% } else { %>
<p class="group-configuration-usage-text">
<%= outlineAnchorMessage %>
<!-- This contains an anchor link and therefore can't be escaped. -->
<%= outlineAnchorMessage %>
</p>
<% } %>
</div>

31
cms/templates/js/group-configuration-details.underscore
View File

@@ -3,7 +3,7 @@
<h3 class="title group-configuration-title">
<a href="#" class="toggle group-toggle <% if(showGroups){ print('hide'); } else { print('show'); } %>-groups">
<i class="ui-toggle-expansion icon fa fa-caret-<% if(showGroups){ print('down'); } else { print('right'); } %>"></i>
<%= name %>
<%- name %>
</a>
</h3>
</header>
@@ -11,20 +11,20 @@
<ol class="collection-info group-configuration-info group-configuration-info-<% if(showGroups){ print('block'); } else { print('inline'); } %>">
<% if (!_.isUndefined(id)) { %>
<li class="group-configuration-id"
><span class="group-configuration-label"><%= gettext('ID') %>: </span
><span class="group-configuration-value"><%= id %></span
><span class="group-configuration-label"><%- gettext('ID') %>: </span
><span class="group-configuration-value"><%- id %></span
></li>
<% } %>
<% if (showGroups) { %>
<li class="collection-description group-configuration-description">
<%= description %>
<%- description %>
</li>
<% } else { %>
<li class="group-configuration-groups-count">
<%= groupsCountMessage %>
<%- groupsCountMessage %>
</li>
<li class="group-configuration-usage-count">
<%= usageCountMessage %>
<%- usageCountMessage %>
</li>
<% } %>
</ol>
@@ -34,23 +34,23 @@
<ol class="collection-items groups groups-<%= index %>">
<% groups.each(function(group, groupIndex) { %>
<li class="item group group-<%= groupIndex %>">
<span class="name group-name"><%= group.get('name') %></span>
<span class="meta group-allocation"><%= allocation %>%</span>
<span class="name group-name"><%- group.get('name') %></span>
<span class="meta group-allocation"><%- allocation %>%</span>
</li>
<% }) %>
</ol>
<% } %>
<ul class="actions group-configuration-actions">
<li class="action action-edit">
<button class="edit"><i class="icon fa fa-pencil"></i> <%= gettext("Edit") %></button>
<button class="edit"><i class="icon fa fa-pencil"></i> <%- gettext("Edit") %></button>
</li>
<% if (_.isEmpty(usage)) { %>
<li class="action action-delete wrapper-delete-button">
<button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
<button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
</li>
<% } else { %>
<li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Cannot delete when in use by an experiment') %>">
<button class="delete action-icon is-disabled" aria-disabled="true"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
<li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Cannot delete when in use by an experiment') %>">
<button class="delete action-icon is-disabled" aria-disabled="true"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
</li>
<% } %>
</ul>
@@ -58,11 +58,11 @@
<% if(showGroups) { %>
<div class="collection-references wrapper-group-configuration-usages">
<% if (!_.isEmpty(usage)) { %>
<h4 class="intro group-configuration-usage-text"><%= gettext('This Group Configuration is used in:') %></h4>
<h4 class="intro group-configuration-usage-text"><%- gettext('This Group Configuration is used in:') %></h4>
<ol class="usage group-configuration-usage">
<% _.each(usage, function(unit) { %>
<li class="usage-unit group-configuration-usage-unit">
<p><a href=<%= unit.url %> ><%= unit.label %></a></p>
<p><a href=<%- unit.url %> ><%- unit.label %></a></p>
<% if (unit.validation) { %>
<p>
<% if (unit.validation.type === 'warning') { %>
@@ -71,7 +71,7 @@
<i class="icon fa fa-exclamation-circle"></i>
<% } %>
<span class="usage-validation-message group-configuration-validation-message">
<%= unit.validation.text %>
<%- unit.validation.text %>
</span>
</p>
<% } %>
@@ -80,6 +80,7 @@
</ol>
<% } else { %>
<p class="group-configuration-usage-text">
<!-- This contains an anchor link and therefore can't be escaped. -->
<%= outlineAnchorMessage %>
</p>
<% } %>

3
lms/templates/instructor/instructor_dashboard_2/cohort_management.html
View File

@@ -2,6 +2,7 @@
<%namespace name='static' file='../../static_content.html'/>
<%!
from django.utils.translation import ugettext as _
from openedx.core.djangolib.js_utils import js_escaped_string
from courseware.courses import get_studio_url
from openedx.core.djangoapps.course_groups.partition_scheme import get_cohorted_user_partition
%>
@@ -27,7 +28,7 @@ from openedx.core.djangoapps.course_groups.partition_scheme import get_cohorted_
% for content_group in content_groups:
{
id: ${content_group.id},
name: "${content_group.name | h}",
name: "${content_group.name | n, js_escaped_string}",
user_partition_id: cohortUserPartitionId
},
% endfor