From 09e1f9ed71910341b1e806466d70308162dbb832 Mon Sep 17 00:00:00 2001
From: Daniel Friedman <dfriedman58@gmail.com>
Date: Thu, 21 May 2015 22:46:12 +0000
Subject: [PATCH] Fix XSS vulnerability in User Profile.

TNL-2248
---
 .../student_profile/learner_profile.html      |  4 ++--
 openedx/core/lib/json_utils.py                | 22 +++++++++++++++++++
 openedx/core/lib/tests/test_json_utils.py     | 18 +++++++++++++++
 3 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 openedx/core/lib/json_utils.py
 create mode 100644 openedx/core/lib/tests/test_json_utils.py

diff --git a/lms/templates/student_profile/learner_profile.html b/lms/templates/student_profile/learner_profile.html
index 3d895ed744..ae6451d644 100644
--- a/lms/templates/student_profile/learner_profile.html
+++ b/lms/templates/student_profile/learner_profile.html
@@ -1,7 +1,7 @@
 <%! import json %>
 <%! from django.core.urlresolvers import reverse %>
 <%! from django.utils.translation import ugettext as _ %>
-<%! from xmodule.modulestore import EdxJSONEncoder %>
+<%! from openedx.core.lib.json_utils import EscapedEdxJSONEncoder %>
 
 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
@@ -39,7 +39,7 @@
     <script>
           (function (require) {
             require(['js/student_profile/views/learner_profile_factory'], function(setupLearnerProfile) {
-                var options = ${ json.dumps(data, cls=EdxJSONEncoder) };
+                var options = ${ json.dumps(data, cls=EscapedEdxJSONEncoder) };
                 setupLearnerProfile(options);
             });
           }).call(this, require || RequireJS.require);
diff --git a/openedx/core/lib/json_utils.py b/openedx/core/lib/json_utils.py
new file mode 100644
index 0000000000..3c89321e99
--- /dev/null
+++ b/openedx/core/lib/json_utils.py
@@ -0,0 +1,22 @@
+"""
+Utilities for dealing with JSON.
+"""
+import simplejson
+
+
+from xmodule.modulestore import EdxJSONEncoder
+
+
+class EscapedEdxJSONEncoder(EdxJSONEncoder):
+    """
+    Class for encoding edx JSON which will be printed inline into HTML
+    templates.
+    """
+    def encode(self, obj):
+        """
+        Encodes JSON that is safe to be embedded in HTML.
+        """
+        return simplejson.dumps(
+            simplejson.loads(super(EscapedEdxJSONEncoder, self).encode(obj)),
+            cls=simplejson.JSONEncoderForHTML
+        )
diff --git a/openedx/core/lib/tests/test_json_utils.py b/openedx/core/lib/tests/test_json_utils.py
new file mode 100644
index 0000000000..9521f58826
--- /dev/null
+++ b/openedx/core/lib/tests/test_json_utils.py
@@ -0,0 +1,18 @@
+"""
+Tests for json_utils.py
+"""
+import json
+from unittest import TestCase
+
+from openedx.core.lib.json_utils import EscapedEdxJSONEncoder
+
+
+class TestEscapedEdxJSONEncoder(TestCase):
+    """Test the EscapedEdxJSONEncoder class."""
+    def test_escapes_forward_slashes(self):
+        """Verify that we escape forward slashes with backslashes."""
+        malicious_json = {'</script><script>alert("hello, ");</script>': '</script><script>alert("world!");</script>'}
+        self.assertNotIn(
+            '</script>',
+            json.dumps(malicious_json, cls=EscapedEdxJSONEncoder)
+        )