298d3554fe
This would patch all templates (django/mako) for a possible XSS code injection via translation files by html escaping them.. LEARNER-4632
41 lines
1.2 KiB
HTML
41 lines
1.2 KiB
HTML
<%page expression_filter="h"/>
|
|
<%!
|
|
import json
|
|
from django.utils.translation import ugettext as _
|
|
from openedx.core.djangolib.js_utils import js_escaped_string
|
|
%>
|
|
<!DOCTYPE HTML>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
|
<title>LTI</title>
|
|
</head>
|
|
<body>
|
|
## This form will be hidden.
|
|
## LTI module JavaScript will trigger a "submit" on the form, and the
|
|
## result will be rendered instead.
|
|
<form
|
|
id="lti-${element_id}"
|
|
action="${launch_url}"
|
|
method="post"
|
|
encType="application/x-www-form-urlencoded"
|
|
style="display:none;"
|
|
>
|
|
|
|
% for param_name, param_value in input_fields.items():
|
|
<input name="${param_name}" value="${param_value}" />
|
|
%endfor
|
|
|
|
<input type="submit" value="${_('Press to Launch')}" />
|
|
</form>
|
|
<script type="text/javascript">
|
|
(function (d) {
|
|
var element = d.getElementById("lti-${element_id | n, js_escaped_string}");
|
|
if (element) {
|
|
element.submit();
|
|
}
|
|
}(document));
|
|
</script>
|
|
</body>
|
|
</html>
|