Sustaining xss fixes

This commit contains xsslint fixes for the following Jira Tickets: PROD-1661 PROD-1663 PROD-1665 PROD-1727 PROD-1729 PROD-1731 PROD-1732 PROD-1795
open-craft · Jul 22, 2020 · 0e45ecb · 0e45ecb
1 parent 40e47e1
commit 0e45ecb
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 27 deletions.
diff --git a/cms/static/js/views/video/transcripts/file_uploader.js b/cms/static/js/views/video/transcripts/file_uploader.js
@@ -1,9 +1,11 @@
 define(
     [
         'jquery', 'backbone', 'underscore',
-        'js/views/video/transcripts/utils'
+        'js/views/video/transcripts/utils',
+        'edx-ui-toolkit/js/utils/html-utils'
     ],
-function($, Backbone, _, TranscriptUtils) {
+function($, Backbone, _, TranscriptUtils, HtmlUtils) {
+    'use strict';
     var FileUploader = Backbone.View.extend({
         invisibleClass: 'is-invisible',
 
@@ -37,9 +39,8 @@ function($, Backbone, _, TranscriptUtils) {
 
                     return;
                 }
-                this.template = _.template(tpl);
-
-                tplContainer.html(this.template({
+                this.template = HtmlUtils.template(tpl);
+                HtmlUtils.setHtml(tplContainer, this.template({
                     ext: this.validFileExtensions,
                     component_locator: this.options.component_locator
                 }));
@@ -126,11 +127,12 @@ function($, Backbone, _, TranscriptUtils) {
         *
         */
         checkExtValidity: function(file) {
+            var fileExtension;
             if (!file.name) {
                 return void(0);
             }
 
-            var fileExtension = file.name
+            fileExtension = file.name
                                     .split('.')
                                     .pop()
                                     .toLowerCase();
@@ -153,7 +155,7 @@ function($, Backbone, _, TranscriptUtils) {
 
             this.$progress
                 .width(percentVal)
-                .html(percentVal)
+                .text(percentVal)
                 .removeClass(this.invisibleClass);
         },
 
@@ -177,7 +179,7 @@ function($, Backbone, _, TranscriptUtils) {
 
             this.$progress
                 .width(percentVal)
-                .html(percentVal);
+                .text(percentVal);
         },
 
         /**

diff --git a/cms/templates/edit-tabs.html b/cms/templates/edit-tabs.html
@@ -21,7 +21,7 @@
 
 <%block name="page_bundle">
     <%static:webpack entry="js/factories/edit_tabs">
-        EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id})}");
+        EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id}) | n, js_escaped_string}");
     </%static:webpack>
 </%block>
 

diff --git a/cms/templates/manage_users_lib.html b/cms/templates/manage_users_lib.html
@@ -1,3 +1,5 @@
+<%page expression_filter="h"/>
+
 <%inherit file="base.html" />
 <%!
 from django.utils.translation import ugettext as _
@@ -110,7 +112,7 @@ <h3 class="title-3">${_("Library Access Roles")}</h3>
 <%block name="requirejs">
   require(["js/factories/manage_users_lib"], function(ManageLibraryUsersFactory) {
       ManageLibraryUsersFactory(
-        "${context_library.display_name_with_default | h}",
+        "${context_library.display_name_with_default | n, js_escaped_string}",
         ${users | n, dump_js_escaped_json},
         "${reverse('course_team_handler', kwargs={'course_key_string': library_key, 'email': '@@EMAIL@@'}) | n, js_escaped_string}",
         ${request.user.id | n, dump_js_escaped_json},

diff --git a/lms/static/js/verify_student/views/pay_and_verify_view.js b/lms/static/js/verify_student/views/pay_and_verify_view.js
@@ -126,7 +126,10 @@ var edx = edx || {};
             // Get or create the step container
             $stepEl = $('#current-step-container');
             if (!$stepEl.length) {
-                $stepEl = $('<div id="current-step-container"></div>').appendTo(this.el);
+                $stepEl = edx.HtmlUtils.append(
+                  $(this.el),
+                  edx.HtmlUtils.HTML('<div id="current-step-container"></div>').toString()
+                );
             }
 
             // Render the subview

diff --git a/lms/static/js/verify_student/views/reverify_view.js b/lms/static/js/verify_student/views/reverify_view.js
@@ -83,7 +83,10 @@
             // Get or create the step container
              $stepEl = $('#current-step-container');
              if (!$stepEl.length) {
-                 $stepEl = $('<div id="current-step-container"></div>').appendTo(this.el);
+                 $stepEl = edx.HtmlUtils.append(
+                   $(this.el),
+                   edx.HtmlUtils.HTML('<div id="current-step-container"></div>').toString()
+                 );
              }
 
             // Render the step subview

diff --git a/lms/static/js/views/image_field.js b/lms/static/js/views/image_field.js
@@ -1,15 +1,16 @@
 (function(define) {
     'use strict';
     define([
-        'gettext', 'jquery', 'underscore', 'backbone', 'js/views/fields',
+        'gettext', 'jquery', 'underscore', 'backbone',
+        'edx-ui-toolkit/js/utils/html-utils', 'js/views/fields',
         'text!templates/fields/field_image.underscore',
         'backbone-super', 'jquery.fileupload'
-    ], function(gettext, $, _, Backbone, FieldViews, field_image_template) {
+    ], function(gettext, $, _, Backbone, HtmlUtils, FieldViews, FieldImageTemplate) {
         var ImageFieldView = FieldViews.FieldView.extend({
 
             fieldType: 'image',
 
-            fieldTemplate: field_image_template,
+            fieldTemplate: FieldImageTemplate,
             uploadButtonSelector: '.upload-button-input',
 
             titleAdd: gettext('Upload an image'),
@@ -44,7 +45,7 @@
             },
 
             render: function() {
-                this.$el.html(this.template({
+                var attributes = {
                     id: this.options.valueAttribute,
                     inputName: (this.options.inputName || 'file'),
                     imageUrl: _.result(this, 'imageUrl'),
@@ -54,7 +55,8 @@
                     removeButtonIcon: _.result(this, 'iconRemove'),
                     removeButtonTitle: _.result(this, 'removeButtonTitle'),
                     screenReaderTitle: _.result(this, 'screenReaderTitle')
-                }));
+                };
+                this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString());
                 this.delegateEvents();
                 this.updateButtonsVisibility();
                 this.watchForPageUnload();
@@ -184,14 +186,14 @@
 
             showUploadInProgressMessage: function() {
                 this.$('.u-field-upload-button').addClass('in-progress');
-                this.$('.upload-button-icon').html(this.iconProgress);
-                this.$('.upload-button-title').html(this.titleUploading);
+                HtmlUtils.setHtml(this.$('.upload-button-icon'), HtmlUtils.HTML(this.iconProgress));
+                HtmlUtils.setHtml(this.$('.upload-button-title'), HtmlUtils.HTML(this.titleUploading));
             },
 
             showRemovalInProgressMessage: function() {
                 this.$('.u-field-remove-button').css('opacity', 1);
-                this.$('.remove-button-icon').html(this.iconProgress);
-                this.$('.remove-button-title').html(this.titleRemoving);
+                HtmlUtils.setHtml(this.$('.remove-button-icon'), HtmlUtils.HTML(this.iconProgress));
+                HtmlUtils.setHtml(this.$('.remove-button-title'), HtmlUtils.HTML(this.titleRemoving));
             },
 
             setCurrentStatus: function(status) {

diff --git a/lms/static/js/views/notification.js b/lms/static/js/views/notification.js
@@ -9,7 +9,7 @@
         },
 
         render: function() {
-            this.$el.html(this.template({
+            this.$el.html(this.template({ // xss-lint: disable=javascript-jquery-html
                 type: this.model.get('type'),
                 title: this.model.get('title'),
                 message: this.model.get('message'),

diff --git a/lms/templates/split_test_author_view.html b/lms/templates/split_test_author_view.html
@@ -1,4 +1,9 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+
+<%!
+    from django.utils.translation import ugettext as _
+    from openedx.core.djangolib.markup import HTML, Text
+%>
 
 <%
 split_test = context.get('split_test')
@@ -11,8 +16,8 @@
     <div class="xblock-message information">
         <p>
             <span class="message-text">
-                ${_("This content experiment uses group configuration '{group_configuration_name}'.").format(
-                    group_configuration_name="<a href='{}'>{}</a>".format(group_configuration_url, user_partition.name) if show_link else user_partition.name
+                ${Text(_("This content experiment uses group configuration '{group_configuration_name}'.")).format(
+                    group_configuration_name=Text(HTML("<a href='{}'>{}</a>")).format(group_configuration_url, user_partition.name) if show_link else user_partition.name
                 )}
             </span>
         </p>
@@ -23,13 +28,13 @@
 % if is_root:
     <div class="wrapper-groups is-active">
         <h3 class="sr">${_("Active Groups")}</h3>
-        ${active_groups_preview}
+        ${HTML(active_groups_preview)}
     </div>
 
     % if inactive_groups_preview:
         <div class="wrapper-groups is-inactive">
             <h3 class="title">${_("Inactive Groups")}</h3>
-            ${inactive_groups_preview}
+            ${HTML(inactive_groups_preview)}
         </div>
     % endif
 % endif