Merge pull request #8196 from edx/release

Merge hotfix from release to master

openedx/core/lib/json_utils.py

@@ -0,0 +1,22 @@
+"""
+Utilities for dealing with JSON.
+"""
+import simplejson
+
+
+from xmodule.modulestore import EdxJSONEncoder
+
+
+class EscapedEdxJSONEncoder(EdxJSONEncoder):
+    """
+    Class for encoding edx JSON which will be printed inline into HTML
+    templates.
+    """
+    def encode(self, obj):
+        """
+        Encodes JSON that is safe to be embedded in HTML.
+        """
+        return simplejson.dumps(
+            simplejson.loads(super(EscapedEdxJSONEncoder, self).encode(obj)),
+            cls=simplejson.JSONEncoderForHTML
+        )

openedx/core/lib/tests/test_json_utils.py

@@ -0,0 +1,18 @@
+"""
+Tests for json_utils.py
+"""
+import json
+from unittest import TestCase
+
+from openedx.core.lib.json_utils import EscapedEdxJSONEncoder
+
+
+class TestEscapedEdxJSONEncoder(TestCase):
+    """Test the EscapedEdxJSONEncoder class."""
+    def test_escapes_forward_slashes(self):
+        """Verify that we escape forward slashes with backslashes."""
+        malicious_json = {'</script><script>alert("hello, ");</script>': '</script><script>alert("world!");</script>'}
+        self.assertNotIn(
+            '</script>',
+            json.dumps(malicious_json, cls=EscapedEdxJSONEncoder)
+        )