Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
39,204 Commits 1 Branch 0 Tags
dc8d020e3080098394a88366c5c16e14906e9a2d
Commit Graph

39204 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Calen Pennington
ac951c4bd2 XSS escape cms/templates/course_info.html 2016-03-23 16:12:41 -04:00
Calen Pennington
53a2960941 XSS escape cms/templates/component.html 2016-03-23 16:12:40 -04:00
Calen Pennington
7922dcbb9c XSS escape cms/templates/js/asset.underscore 2016-03-23 16:12:40 -04:00
Calen Pennington
485c542838 XSS escape cms/templates/js/asset-library.underscore 2016-03-23 16:12:40 -04:00
Calen Pennington
b91d1f2256 XSS escape cms/templates/asset_index.html 2016-03-23 16:12:40 -04:00
Eric Fischer
41c1c30f2b Merge pull request #11917 from edx/efischer/fix_safe_linter 
Safe template linter should use DOTALL
 2016-03-23 16:11:19 -04:00
Bill DeRusha
e6edba18b4 Safe Templatize: wiki templates 2016-03-23 16:06:36 -04:00
Akiva Leffert
2876076677 Remove unused empty file 2016-03-23 16:05:08 -04:00
Eric Fischer
7cfa0fa111 Safe template linter should use DOTALL 
MULTILINE has to do with how '^' and '$' behave, DOTALL will make the
'.' match newlines as well. This catches several failures that were
previously missed.
 2016-03-23 15:59:29 -04:00
Daniel Friedman
08ddeca426 Merge pull request #11912 from edx/dan-f/fix-accidental-extra-escaping 
Fix accidental extra escaping
 2016-03-23 15:55:18 -04:00
Simon Chen
79783800b4 Escape properly the elements on the dashboard xseries upsell template 2016-03-23 15:41:30 -04:00
Akiva Leffert
d44b4d28ce Mark register-sidebar template safe by default 2016-03-23 15:10:07 -04:00
Daniel Friedman
56b1196246 Fix accidental extra escaping 2016-03-23 14:46:35 -04:00
Renzo Lucioni
a104d82e70 Secure templates used to inject Segment and Optimizely 2016-03-23 14:40:24 -04:00
Kevin Falcone
06f5e49978 This appears to actually be in UTC (not in the django TZ default). 
You can see the times are marked +00:00 for the ISO 8601 format date and
I see no code in the backend that tries to convert.
 2016-03-23 14:38:18 -04:00
Kevin Falcone
8a85d7e346 Udpate to secure by default 
Most things were already escaped, including the json.dumps, and we've
decided not to use dump_html_escaped_json
 2016-03-23 14:35:08 -04:00
Daniel Friedman
679cdc3775 Merge pull request #11893 from edx/dan-f/make-cms-activation_invalid-safe 
Make CMS activation_invalid template safe by default
 2016-03-23 13:55:51 -04:00
Daniel Friedman
0b6faee467 Merge pull request #11891 from edx/dan-f/make-cms-activation_complete-safe 
Make CMS activation_complete template safe by default
 2016-03-23 13:55:11 -04:00
Jesse Zoldak
1b1f39527b Merge pull request #11902 from edx/zoldak/html-escape-mako-without-variables 
Add h filter page directive to cms mako templates without variables
 2016-03-23 13:30:46 -04:00
Michael Katz
c4a18db989 Merge pull request #11896 from edx/mkatz/3pauthsafetemplate 
add filter to profile page
 2016-03-23 13:11:49 -04:00
Peter Fogg
d28e0a277e Merge pull request #11895 from edx/peter-fogg/linter-fixes 
Minor fixes to the safe template linter.
 2016-03-23 12:39:28 -04:00
Muzaffar yousaf
a6627f57c9 Merge pull request #79 from edx/hotfix-2016-03-23 
[TNL-4073][TNL-4273] Make sure that domain defined for preview exists in
 2016-03-23 21:30:29 +05:00
Toby Lawrence
76c0c0413d Only require a module once. 
Looking at this code, I'm not entirely sure why it was added, but it's
demonstrably loading modules twice when not in debug mode.
 2016-03-23 12:29:47 -04:00
M. Rehan
8459b5be77 Merge pull request #10705 from edx/mrehan/SUST-22 
Implement 'from_string_or_404' in utils
 2016-03-23 21:26:39 +05:00
Peter Fogg
5d8a5d97e1 Merge pull request #11892 from edx/peter-fogg/remove-teams-wires 
Remove old teams example templates.
 2016-03-23 12:08:24 -04:00
Jesse Zoldak
6f0d1157f1 Add h filter page directive to cms mako templates without variables 
The files to change were found with:
`ack --literal --type=html --match '${' --files-without-matches cms/templates`
 2016-03-23 12:05:12 -04:00
Peter Fogg
6661063b5a Minor fixes to the safe template linter. 2016-03-23 11:38:45 -04:00
Michael Katz
4d6c787930 add filter 2016-03-23 11:34:21 -04:00
Toby Lawrence
e62a8da457 Set the correct names for overridden dependencies. 2016-03-23 11:28:25 -04:00
Daniel Friedman
48e2299e47 Make CMS activation_invalid template safe by default 2016-03-23 11:21:50 -04:00
Peter Fogg
11bb281019 Remove old teams example templates. 2016-03-23 11:19:01 -04:00
Calen Pennington
2607f8a98c XSS escape cms/templates/activation_active.html 2016-03-23 11:17:17 -04:00
Daniel Friedman
ea347c7a9b Make CMS activation_complete template safe by default 2016-03-23 11:11:08 -04:00
Muhammad Rehan
771a7d06ca Implement 'from_string_or_404' util and its example usage. 2016-03-23 20:10:32 +05:00
Michael Katz
9a94b106f8 safe template 2016-03-23 10:49:35 -04:00
Toby Lawrence
f8ddfb5945 Use a module/path mapping for RequireJS overrides instead of just paths. 
Instead of attempting to derive the module portion of a RequireJS
override strictly from the path to the JS file, we now use a dictionary
where the module name must be explicitly specified.  This allows us to
compensate for files which do not follow a naming scheme that is
compatible with RequireJS without having to normalize all files.  This
is extremely important when using third-party dependencies.
 2016-03-23 10:34:58 -04:00
attiyaIshaque
1e74f942f1 Merge branch 'master' into ai/tnl3964-forum-vote-button 2016-03-23 19:00:01 +05:00
Ehtesham
5ad2eb300c [TNL-4073][TNL-4273] Make sure that domain defined for preview exists in 
HOSTNAME_MODULESTORE_DEFAULT_MAPPINGS,
 2016-03-23 18:52:32 +05:00
Vedran Karačić
88aa4a9055 Merge pull request #11852 from edx/vkaracic/SOL-1712 
Change EcommerceService's is_enabled to accept User instead of request
 2016-03-23 09:40:56 +01:00
vkaracic
3c8ae7c3b2 Change EcommerceService's is_enabled to accept User instead of request 
. And change the verification link in the sidebar to redirect to new basket if the EcommerceService is enabled.
 2016-03-23 07:44:55 +00:00
Mushtaq Ali
5deb07d904 Merge pull request #11884 from edx/mushtaq/edx-ora2-version-1.1.1 
ORA2 version update
 2016-03-23 02:26:26 +05:00
Andy Armstrong
c7336b3d68 Merge pull request #11880 from edx/andya/add-ui-toolkit-only 
Add the UI Toolkit to edx-platform
 2016-03-22 16:34:54 -04:00
M. Rehan
c9e1a86086 Merge pull request #11860 from edx/adam/fix-math-input-ajax 
TNL-4217 – Initialize preview once for an input for the first time
 2016-03-23 00:58:18 +05:00
Andy Armstrong
0177eeded4 Add the UI Toolkit to edx-platform 
UITK-75
 2016-03-22 15:31:27 -04:00
Mushtaq Ali
1b60f73119 ORA2 version update to 1.1.1. Includes bug fixes for TNL-4268 2016-03-23 00:24:26 +05:00
Adam Palay
d3a467d366 Only add event listener if it hasn't been added yet 2016-03-23 00:00:27 +05:00
Toby Lawrence
85304b8b9d Make CDNifying of course over image URLs only happen for relative URLs. 
We don't want to blindly assemble the base CDN URL with whatever an
image URL happens to be, since it might be an absolute URL and now the
result is a broken URL.  We take a more selective approach now.
 2016-03-22 13:56:40 -04:00
Ben Patterson
3332721948 Merge pull request #11867 from edx/benp/courseteam-flaky-fix 
Fix flaky condition that's showing up in firefox 42.
 2016-03-22 13:55:59 -04:00
Jesse Zoldak
a77000a89c Merge pull request #11881 from edx/zoldak/TE-1235 
Remove executable bit from test file  TE-1235
 2016-03-22 13:40:34 -04:00
Eric Fischer
c97a6a5178 Merge pull request #11758 from edx/christina/xss-tests 
Bok choy XSS changes
 2016-03-22 13:02:47 -04:00