Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a05dc292bc00a850cd00a6f09e22f10cbe32608
edx-platform/lms/templates/wiki/edit.html
Adeel Khan 298d3554fe Fix templates for XSS code injection via translations 
This would patch all templates (django/mako)
for a possible XSS code injection via
translation files by html escaping them..

LEARNER-4632
2019-06-25 14:22:42 +05:00

75 lines
3.3 KiB
HTML
Raw Blame History

{% extends "wiki/article.html" %}
{% load wiki_tags i18n sekizai_tags %}
{% block pagetitle %}{% trans "Edit" as tmsg%}{{tmsg|force_escape}}: {{ article.current_revision.title }}{% endblock %}
{% block wiki_contents_tab %}
{% addtoblock "js" %}
<script type="text/javascript">
$(document).ready(
function ($) {
accessible_modal("#cheatsheetLink", "#cheatsheetModal .close-modal", "#cheatsheetModal", ".content-wrapper");
accessible_modal("#previewButton", "#previewModal .close-modal", "#previewModal", ".content-wrapper");
$("#previewModalBackToEditor").click(function (e) {
$("#previewModal .close-modal").click();
e.preventDefault();
});
}
);
</script>
{% endaddtoblock %}
<form method="POST" class="form-horizontal" id="article_edit_form" name="article_edit_form" enctype="multipart/form-data">
{% include "wiki/includes/editor.html" %}
<div class="form-actions">
<button type="submit" name="save" value="1" class="btn btn-large btn-primary" onclick="this.form.target=''; this.form.action='{% url 'wiki:edit' path=urlpath.path article_id=article.id %}'">
<span class="icon fa fa-check-square-o" aria-hidden="true"></span>
{% trans "Save changes" as tmsg%}{{tmsg|force_escape}}
</button>
<a class="btn btn-large" id="previewButton" href="#previewModal" rel="leanModal"
onclick="
document.article_edit_form.target='previewWindow';
document.article_edit_form.action='{% url 'wiki:preview' path=urlpath.path article_id=article.id %}';
document.article_edit_form.submit();">
<span class="icon fa fa-eye" aria-hidden="true"></span>
{% trans "Preview" as tmsg%}{{tmsg|force_escape}}
</a>
<a href="{% url 'wiki:delete' path=urlpath.path article_id=article.id %}" class="pull-right btn btn-danger">
<span class="icon fa fa-remove" aria-hidden="true"></span>
{% trans "Delete article" as tmsg%}{{tmsg|force_escape}}
</a>
</div>
<div id="previewModal" class="modal" aria-hidden="true">
<div class="inner-wrapper" role="dialog" aria-labelledby="preview-title" aria-modal=true>
<button class="close-modal"><span class="icon fa fa-remove" aria-hidden="true"></span> <span class="sr">{% trans 'Close' as tmsg%}{{tmsg|force_escape}}</span></button>
<header>
<h2 id="preview-title">{% trans "Wiki Preview" as tmsg%}{{tmsg|force_escape}}<span class="sr">, {% trans "window open" as tmsg%}{{tmsg|force_escape}}</span></h2>
<hr/>
</header>
<div class="modal-body">
<iframe name="previewWindow" frameborder="0"></iframe>
</div>
<div class="modal-footer">
<button type="submit" name="save" value="1" class="btn btn-large btn-primary" onclick="this.form.target=''; this.form.action='{% url 'wiki:edit' path=urlpath.path article_id=article.id %}'">
<span class="icon fa fa-check-square-o" aria-hidden="true"></span>
{% trans "Save changes" as tmsg%}{{tmsg|force_escape}}
</button>
<a id="previewModalBackToEditor" href="#" class="btn btn-large">
<span class="icon fa fa-circle-arrow-left" aria-hidden="true"></span>
{% trans "Back to editor" as tmsg%}{{tmsg|force_escape}}
</a>
</div>
</div>
</div>
{% include "wiki/includes/cheatsheet.html" %}
</form>
{% endblock %}
Reference in New Issue View Git Blame Copy Permalink