Skip to content

Commit

Permalink
Merge pull request #228 from edx/aakbar/xss-security-fixes
Browse files Browse the repository at this point in the history
Fix XSS for numerous files
  • Loading branch information
Ali-D-Akbar authored Apr 21, 2021
2 parents efa13ff + a4437cb commit 025fb5e
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 6 deletions.
2 changes: 1 addition & 1 deletion cms/static/js/models/settings/course_grader.js
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ define(['backbone', 'underscore', 'gettext'], function(Backbone, _, gettext) {
}
if (_.has(attrs, 'min_count') && _.has(attrs, 'drop_count') && !_.has(errors, 'min_count') && !_.has(errors, 'drop_count') && attrs.drop_count > attrs.min_count) {
var template = _.template(
gettext('Cannot drop more <%= types %> assignments than are assigned.')
gettext('Cannot drop more <%- types %> assignments than are assigned.')
);
errors.drop_count = template({types: attrs.type});
}
Expand Down
7 changes: 4 additions & 3 deletions cms/static/js/views/active_video_upload.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
define(
['underscore', 'js/models/active_video_upload', 'js/views/baseview', 'common/js/components/views/feedback_prompt'],
function(_, ActiveVideoUpload, BaseView, PromptView) {
['underscore', 'js/models/active_video_upload', 'js/views/baseview', 'common/js/components/views/feedback_prompt',
'edx-ui-toolkit/js/utils/html-utils'],
function(_, ActiveVideoUpload, BaseView, PromptView, HtmlUtils) {
'use strict';

var STATUS_CLASSES = [
Expand All @@ -25,7 +26,7 @@ define(
render: function() {
var $el = this.$el,
status;
$el.html(this.template(this.model.attributes));
$el.html(HtmlUtils.HTML(this.template(this.model.attributes)).toString());
status = this.model.get('status');
_.each(
STATUS_CLASSES,
Expand Down
4 changes: 2 additions & 2 deletions common/lib/xmodule/xmodule/js/src/video/09_poster.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@
VideoPoster.moduleName = 'Poster';
VideoPoster.prototype = {
template: _.template([
'<div class="video-pre-roll is-<%= type %> poster" ',
'style="background-image: url(<%= url %>)">',
'<div class="video-pre-roll is-<%- type %> poster" ',
'style="background-image: url(<%- url %>)">',
'<button class="btn-play btn-pre-roll">',
'<img src="/static/images/play.png" alt="">',
'<span class="sr">', gettext('Play video'), '</span>',
Expand Down

0 comments on commit 025fb5e

Please sign in to comment.