From e9b2b7f8a791399a9a00ad810779a032cb2df84a Mon Sep 17 00:00:00 2001 From: rabiaiftikhar Date: Fri, 28 Dec 2018 15:36:22 +0500 Subject: [PATCH] Clean XSS in Certificates Support URL --- lms/djangoapps/certificates/views/support.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lms/djangoapps/certificates/views/support.py b/lms/djangoapps/certificates/views/support.py index cd7db790b4..bbc0e4d9af 100644 --- a/lms/djangoapps/certificates/views/support.py +++ b/lms/djangoapps/certificates/views/support.py @@ -4,6 +4,7 @@ Certificate end-points used by the student support UI. See lms/djangoapps/support for more details. """ +import bleach import logging import urllib from functools import wraps @@ -80,7 +81,7 @@ def search_certificates(request): ] """ - user_filter = urllib.unquote(urllib.quote_plus(request.GET.get("user", ""))) + user_filter = bleach.clean(urllib.unquote(urllib.quote_plus(request.GET.get("user", "")))) if not user_filter: msg = _("user is not given.") return HttpResponseBadRequest(msg)