Merge pull request #8196 from edx/release

Merge hotfix from release to master
2015-05-26 14:15:09 -04:00
parent dc04f08e10 019da46c60
commit e424ce8a1d
3 changed files with 42 additions and 2 deletions
--- a/lms/templates/student_profile/learner_profile.html
+++ b/lms/templates/student_profile/learner_profile.html
@@ -1,7 +1,7 @@
 <%! import json %>
 <%! from django.core.urlresolvers import reverse %>
 <%! from django.utils.translation import ugettext as _ %>
-<%! from xmodule.modulestore import EdxJSONEncoder %>
+<%! from openedx.core.lib.json_utils import EscapedEdxJSONEncoder %>

 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
@@ -39,7 +39,7 @@
    <script>
          (function (require) {
            require(['js/student_profile/views/learner_profile_factory'], function(setupLearnerProfile) {
-                var options = ${ json.dumps(data, cls=EdxJSONEncoder) };
+                var options = ${ json.dumps(data, cls=EscapedEdxJSONEncoder) };
                setupLearnerProfile(options);
            });
          }).call(this, require || RequireJS.require);
--- a/openedx/core/lib/json_utils.py
+++ b/openedx/core/lib/json_utils.py
@@ -0,0 +1,22 @@
+"""
+Utilities for dealing with JSON.
+"""
+import simplejson
+
+
+from xmodule.modulestore import EdxJSONEncoder
+
+
+class EscapedEdxJSONEncoder(EdxJSONEncoder):
+    """
+    Class for encoding edx JSON which will be printed inline into HTML
+    templates.
+    """
+    def encode(self, obj):
+        """
+        Encodes JSON that is safe to be embedded in HTML.
+        """
+        return simplejson.dumps(
+            simplejson.loads(super(EscapedEdxJSONEncoder, self).encode(obj)),
+            cls=simplejson.JSONEncoderForHTML
+        )
--- a/openedx/core/lib/tests/test_json_utils.py
+++ b/openedx/core/lib/tests/test_json_utils.py
@@ -0,0 +1,18 @@
+"""
+Tests for json_utils.py
+"""
+import json
+from unittest import TestCase
+
+from openedx.core.lib.json_utils import EscapedEdxJSONEncoder
+
+
+class TestEscapedEdxJSONEncoder(TestCase):
+    """Test the EscapedEdxJSONEncoder class."""
+    def test_escapes_forward_slashes(self):
+        """Verify that we escape forward slashes with backslashes."""
+        malicious_json = {'</script><script>alert("hello, ");</script>': '</script><script>alert("world!");</script>'}
+        self.assertNotIn(
+            '</script>',
+            json.dumps(malicious_json, cls=EscapedEdxJSONEncoder)
+        )