Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix xss warnings (#22408)

Browse Source
This commit is contained in:
Alex Wang
2019-11-26 20:15:33 -05:00
committed by GitHub
parent b074f0c671
commit f42d2edd29
7 changed files with 91 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
lms/djangoapps/teams/static/teams/js/views/edit_team.js
View File

@@ -7,8 +7,9 @@
'js/views/fields',
'teams/js/models/team',
'common/js/components/utils/view_utils',
'text!teams/templates/edit-team.underscore'],
function(Backbone, _, gettext, FieldViews, TeamModel, ViewUtils, editTeamTemplate) {
'text!teams/templates/edit-team.underscore',
'edx-ui-toolkit/js/utils/html-utils'],
function(Backbone, _, gettext, FieldViews, TeamModel, ViewUtils, editTeamTemplate, HtmlUtils) {
return Backbone.View.extend({
maxTeamNameLength: 255,
@@ -81,11 +82,14 @@
},
render: function() {
this.$el.html(_.template(editTeamTemplate)({ // xss-lint: disable=javascript-jquery-html
primaryButtonTitle: this.primaryButtonTitle,
action: this.action,
totalMembers: _.isUndefined(this.teamModel) ? 0 : this.teamModel.get('membership').length
}));
HtmlUtils.setHtml(
this.$el,
HtmlUtils.template(editTeamTemplate)({
primaryButtonTitle: this.primaryButtonTitle,
action: this.action,
totalMembers: _.isUndefined(this.teamModel) ? 0 : this.teamModel.get('membership').length
})
);
this.set(this.teamNameField, '.team-required-fields');
this.set(this.teamDescriptionField, '.team-required-fields');
this.set(this.teamLanguageField, '.team-optional-fields');

8
lms/djangoapps/teams/static/teams/js/views/instructor_tools.js
View File

@@ -7,8 +7,9 @@
'edx-ui-toolkit/js/utils/string-utils',
'teams/js/views/team_utils',
'common/js/components/utils/view_utils',
'text!teams/templates/instructor-tools.underscore'],
function(Backbone, _, gettext, StringUtils, TeamUtils, ViewUtils, instructorToolbarTemplate) {
'text!teams/templates/instructor-tools.underscore',
'edx-ui-toolkit/js/utils/html-utils'],
function(Backbone, _, gettext, StringUtils, TeamUtils, ViewUtils, instructorToolbarTemplate, HtmlUtils) {
return Backbone.View.extend({
events: {
@@ -17,13 +18,12 @@
},
initialize: function(options) {
this.template = _.template(instructorToolbarTemplate);
this.team = options.team;
this.teamEvents = options.teamEvents;
},
render: function() {
this.$el.html(this.template); // xss-lint: disable=javascript-jquery-html
HtmlUtils.setHtml(this.$el, HtmlUtils.template(instructorToolbarTemplate)({}));
return this;
},

8
lms/djangoapps/teams/static/teams/js/views/my_teams.js
View File

@@ -1,8 +1,8 @@
(function(define) {
'use strict';
define(['backbone', 'gettext', 'teams/js/views/teams'],
function(Backbone, gettext, TeamsView) {
define(['backbone', 'gettext', 'teams/js/views/teams', 'edx-ui-toolkit/js/utils/html-utils'],
function(Backbone, gettext, TeamsView, HtmlUtils) {
var MyTeamsView = TeamsView.extend({
render: function() {
var view = this;
@@ -13,9 +13,7 @@
.done(function() {
TeamsView.prototype.render.call(view);
if (view.collection.length === 0) {
view.$el.append( // xss-lint: disable=javascript-jquery-append
// eslint-disable-next-line max-len
'<p>' + gettext('You are not currently a member of any team.') + '</p>'); // xss-lint: disable=javascript-concat-html
HtmlUtils.append(view.$el, gettext('You are not currently a member of any team.'));
}
});
return this;

67
lms/djangoapps/teams/static/teams/js/views/team_card.js
View File

@@ -10,7 +10,9 @@
'teams/js/views/team_utils',
'text!teams/templates/team-membership-details.underscore',
'text!teams/templates/team-country-language.underscore',
'text!teams/templates/date.underscore'
'text!teams/templates/date.underscore',
'edx-ui-toolkit/js/utils/html-utils',
'edx-ui-toolkit/js/utils/string-utils'
], function(
$,
Backbone,
@@ -21,14 +23,15 @@
TeamUtils,
teamMembershipDetailsTemplate,
teamCountryLanguageTemplate,
dateTemplate
dateTemplate,
HtmlUtils,
StringUtils
) {
var TeamMembershipView, TeamCountryLanguageView, TeamActivityView, TeamCardView;
TeamMembershipView = Backbone.View.extend({
tagName: 'div',
className: 'team-members',
template: _.template(teamMembershipDetailsTemplate),
initialize: function(options) {
this.maxTeamSize = options.maxTeamSize;
@@ -41,21 +44,23 @@
}).reverse(),
displayableMemberships = allMemberships.slice(0, 5),
maxMemberCount = this.maxTeamSize;
this.$el.html(this.template({ // xss-lint: disable=javascript-jquery-html
membership_message: TeamUtils.teamCapacityText(allMemberships.length, maxMemberCount),
memberships: displayableMemberships,
has_additional_memberships: displayableMemberships.length < allMemberships.length,
/* Translators: "and others" refers to fact that additional
* members of a team exist that are not displayed. */
sr_message: gettext('and others')
}));
HtmlUtils.setHtml(
this.$el,
HtmlUtils.template(teamMembershipDetailsTemplate)({
membership_message: TeamUtils.teamCapacityText(allMemberships.length, maxMemberCount),
memberships: displayableMemberships,
has_additional_memberships: displayableMemberships.length < allMemberships.length,
/* Translators: "and others" refers to fact that additional
* members of a team exist that are not displayed. */
sr_message: gettext('and others')
})
);
return this;
}
});
TeamCountryLanguageView = Backbone.View.extend({
template: _.template(teamCountryLanguageTemplate),
initialize: function(options) {
this.countries = options.countries;
this.languages = options.languages;
@@ -63,10 +68,13 @@
render: function() {
// this.$el should be the card meta div
this.$el.append(this.template({ // xss-lint: disable=javascript-jquery-append
country: this.countries[this.model.get('country')],
language: this.languages[this.model.get('language')]
}));
HtmlUtils.append(
this.$el,
HtmlUtils.template(teamCountryLanguageTemplate)({
country: this.countries[this.model.get('country')],
language: this.languages[this.model.get('language')]
})
);
}
});
@@ -83,15 +91,17 @@
var lastActivity = moment(this.date),
currentLanguage = $('html').attr('lang');
lastActivity.locale(currentLanguage);
this.$el.html( // xss-lint: disable=javascript-jquery-html
// eslint-disable-next-line no-undef
interpolate( // xss-lint: disable=javascript-interpolate
/* Translators: 'date' is a placeholder for a fuzzy,
* relative timestamp (see: http://momentjs.com/)
*/
gettext('Last activity %(date)s'),
{date: this.template({date: lastActivity.format('MMMM Do YYYY, h:mm:ss a')})},
true
HtmlUtils.setHtml(
this.$el,
HtmlUtils.HTML(
StringUtils.interpolate(
/* Translators: 'date' is a placeholder for a fuzzy,
* relative timestamp (see: http://momentjs.com/)
*/
gettext('Last activity {date}'),
{date: this.template({date: lastActivity.format('MMMM Do YYYY, h:mm:ss a')})},
true
)
)
);
this.$('abbr').text(lastActivity.fromNow());
@@ -123,9 +133,8 @@
details: function() { return this.detailViews; },
actionClass: 'action-view',
actionContent: function() {
// eslint-disable-next-line no-undef
return interpolate( // xss-lint: disable=javascript-interpolate
gettext('View %(span_start)s %(team_name)s %(span_end)s'),
return StringUtils.interpolate(
gettext('View {span_start} {team_name} {span_end}'),
{span_start: '<span class="sr">', team_name: _.escape(this.model.get('name')), span_end: '</span>'},
true
);

19
lms/djangoapps/teams/static/teams/js/views/team_profile_header_actions.js
View File

@@ -6,8 +6,9 @@
'underscore',
'gettext',
'teams/js/views/team_utils',
'text!teams/templates/team-profile-header-actions.underscore'],
function(Backbone, $, _, gettext, TeamUtils, teamProfileHeaderActionsTemplate) {
'text!teams/templates/team-profile-header-actions.underscore',
'edx-ui-toolkit/js/utils/html-utils'],
function(Backbone, $, _, gettext, TeamUtils, teamProfileHeaderActionsTemplate, HtmlUtils) {
return Backbone.View.extend({
errorMessage: gettext('An error occurred. Try again.'),
@@ -53,12 +54,14 @@
showJoinButton = true;
}
}
view.$el.html(view.template({ // xss-lint: disable=javascript-jquery-html
showJoinButton: showJoinButton,
message: message,
showEditButton: view.showEditButton
}));
HtmlUtils.setHtml(
view.$el,
HtmlUtils.template(teamProfileHeaderActionsTemplate)({
showJoinButton: showJoinButton,
message: message,
showEditButton: view.showEditButton
})
);
});
return view;
},

11
lms/djangoapps/teams/static/teams/js/views/team_utils.js
View File

@@ -1,8 +1,8 @@
/* Team utility methods*/
(function(define) {
'use strict';
define(['jquery', 'underscore'],
function($, _) {
define(['jquery', 'underscore', 'edx-ui-toolkit/js/utils/string-utils'],
function($, _, StringUtils) {
return {
/**
@@ -20,12 +20,11 @@
},
teamCapacityText: function(memberCount, maxMemberCount) {
// eslint-disable-next-line no-undef
return interpolate( // xss-lint: disable=javascript-interpolate
return StringUtils.interpolate(
// Translators: The following message displays the number of members on a team.
ngettext(
'%(memberCount)s / %(maxMemberCount)s Member',
'%(memberCount)s / %(maxMemberCount)s Members',
'{memberCount} / {maxMemberCount} Member',
'{memberCount} / {maxMemberCount} Members',
maxMemberCount
),
{memberCount: memberCount, maxMemberCount: maxMemberCount}, true

30
lms/djangoapps/teams/static/teams/js/views/topic_card.js
View File

@@ -3,8 +3,14 @@
*/
(function(define) {
'use strict';
define(['backbone', 'underscore', 'gettext', 'js/components/card/views/card'],
function(Backbone, _, gettext, CardView) {
define([
'backbone',
'underscore',
'gettext',
'js/components/card/views/card',
'edx-ui-toolkit/js/utils/html-utils',
'edx-ui-toolkit/js/utils/string-utils'],
function(Backbone, _, gettext, CardView, HtmlUtils, StringUtils) {
var TeamCountDetailView = Backbone.View.extend({
tagName: 'p',
className: 'team-count',
@@ -15,12 +21,15 @@
render: function() {
var team_count = this.model.get('team_count'); // eslint-disable-line camelcase
// eslint-disable-next-line no-undef, max-len
this.$el.html(_.escape(interpolate( // xss-lint: disable=javascript-jquery-html,javascript-interpolate
ngettext('%(team_count)s Team', '%(team_count)s Teams', team_count),
{team_count: team_count},
true
)));
HtmlUtils.setHtml(
this.$el,
HtmlUtils.HTML(_.escape(StringUtils.interpolate(
ngettext('{team_count} Team', '{team_count} Teams', team_count),
{team_count: team_count},
true
)))
);
return this;
}
});
@@ -43,9 +52,8 @@
details: function() { return this.detailViews; },
actionClass: 'action-view',
actionContent: function() {
// eslint-disable-next-line no-undef
var screenReaderText = _.escape(interpolate( // xss-lint: disable=javascript-interpolate
gettext('View Teams in the %(topic_name)s Topic'),
var screenReaderText = _.escape(StringUtils.interpolate(
gettext('View Teams in the {topic_name} Topic'),
{topic_name: this.model.get('name')}, true
));
// eslint-disable-next-line max-len