Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BB-3816] Apply security fixes [7, 8, 9] #321

Closed
wants to merge 3 commits into from
Closed

[BB-3816] Apply security fixes [7, 8, 9] #321

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
526709e
Apply IM patch for xss fixes 7
Feb 23, 2021
62fe744
Apply IM patch for xss fixes 8
Feb 23, 2021
65f4198
Apply IM patch for xss fixes 9
Feb 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions cms/templates/js/add-xblock-component-button.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<% if (type === 'advanced' || templates.length > 1) { %>
<button type="button" class="multiple-templates add-xblock-component-button" data-type="<%= type %>">
<button type="button" class="multiple-templates add-xblock-component-button" data-type="<%- type %>">
<% } else { %>
<button type="button" class="single-template add-xblock-component-button" data-type="<%= type %>" data-category="<%= templates[0].category %>">
<button type="button" class="single-template add-xblock-component-button" data-type="<%- type %>" data-category="<%- templates[0].category %>">
<% } %>
<span class="large-template-icon large-<%= type %>-icon"></span>
<span class="sr"> <%= gettext("Add Component:") %></span>
<span class="name"><%= display_name %></span>
<span class="large-template-icon large-<%- type %>-icon"></span>
<span class="sr"> <%- gettext("Add Component:") %></span>
<span class="name"><%- display_name %></span>
</button>
2 changes: 1 addition & 1 deletion cms/templates/js/add-xblock-component.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<div class="new-component">
<h5><%= gettext("Add New Component") %></h5>
<h5><%- gettext("Add New Component") %></h5>
<ul class="new-component-type">
</ul>
</div>
6 changes: 3 additions & 3 deletions cms/templates/js/asset-upload-modal.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<div class="upload-modal modal" style="display: none;">
<a href="#" class="close-button"><span class="icon fa fa-times-circle" aria-hidden="true"></span> <span class="sr"><%= gettext('close') %></span></a>
<a href="#" class="close-button"><span class="icon fa fa-times-circle" aria-hidden="true"></span> <span class="sr"><%- gettext('close') %></span></a>
<div class="modal-body">
<h1 class="title"><%= gettext("Upload New File") %></h1>
<h1 class="title"><%- gettext("Upload New File") %></h1>
<p class="file-name">
<div class="progress-bar">
<div class="progress-fill"></div>
Expand All @@ -12,7 +12,7 @@
</div>
<form class="file-chooser" action="asset-url"
method="post" enctype="multipart/form-data">
<a href="#" class="choose-file-button"><%= gettext("Choose File") %></a>
<a href="#" class="choose-file-button"><%- gettext("Choose File") %></a>
<input type="file" class="file-input" name="file">
</form>
</div>
Expand Down
32 changes: 16 additions & 16 deletions cms/templates/js/course_grade_policy.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,35 @@
<li class="field-group course-grading-assignment-list-item">
<div class="field text" id="field-course-grading-assignment-name">
<label for="course-grading-assignment-name"><%= gettext("Assignment Type Name") %></label>
<input type="text" class="long" id="course-grading-assignment-name" value="<%= model.get('type') %>" />
<span class="tip tip-stacked"><%= gettext("The general category for this type of assignment, for example, Homework or Midterm Exam. This name is visible to learners.") %></span>
<label for="course-grading-assignment-name"><%- gettext("Assignment Type Name") %></label>
<input type="text" class="long" id="course-grading-assignment-name" value="<%= model.get('type') %>" /> <% // xss-lint: disable=underscore-not-escaped %>
<span class="tip tip-stacked"><%- gettext("The general category for this type of assignment, for example, Homework or Midterm Exam. This name is visible to learners.") %></span>
</div>

<div class="field text" id="field-course-grading-assignment-shortname">
<label for="course-grading-assignment-shortname"><%= gettext("Abbreviation") %></label>
<input type="text" class="short" id="course-grading-assignment-shortname" value="<%= model.get('short_label') %>" />
<span class="tip tip-stacked"><%= gettext("This short name for the assignment type (for example, HW or Midterm) appears next to assignments on a learner's Progress page.") %></span>
<label for="course-grading-assignment-shortname"><%- gettext("Abbreviation") %></label>
<input type="text" class="short" id="course-grading-assignment-shortname" value="<%= model.get('short_label') %>" /> <% // xss-lint: disable=underscore-not-escaped %>
<span class="tip tip-stacked"><%- gettext("This short name for the assignment type (for example, HW or Midterm) appears next to assignments on a learner's Progress page.") %></span>
</div>

<div class="field text" id="field-course-grading-assignment-gradeweight">
<label for="course-grading-assignment-gradeweight"><%= gettext("Weight of Total Grade") %></label>
<input type="text" class="short" id="course-grading-assignment-gradeweight" value = "<%= model.get('weight') %>" />
<span class="tip tip-stacked"><%= gettext("The weight of all assignments of this type as a percentage of the total grade, for example, 40. Do not include the percent symbol.") %></span>
<label for="course-grading-assignment-gradeweight"><%- gettext("Weight of Total Grade") %></label>
<input type="text" class="short" id="course-grading-assignment-gradeweight" value = "<%= model.get('weight') %>" /> <% // xss-lint: disable=underscore-not-escaped %>
<span class="tip tip-stacked"><%- gettext("The weight of all assignments of this type as a percentage of the total grade, for example, 40. Do not include the percent symbol.") %></span>
</div>

<div class="field text" id="field-course-grading-assignment-totalassignments">
<label for="course-grading-assignment-totalassignments"><%= gettext("Total Number") %></label>
<input type="text" class="short" id="course-grading-assignment-totalassignments" value = "<%= model.get('min_count') %>" />
<span class="tip tip-stacked"><%= gettext("The number of subsections in the course that contain problems of this assignment type.") %></span>
<label for="course-grading-assignment-totalassignments"><%- gettext("Total Number") %></label>
<input type="text" class="short" id="course-grading-assignment-totalassignments" value = "<%= model.get('min_count') %>" /> <% // xss-lint: disable=underscore-not-escaped %>
<span class="tip tip-stacked"><%- gettext("The number of subsections in the course that contain problems of this assignment type.") %></span>
</div>

<div class="field text" id="field-course-grading-assignment-droppable">
<label for="course-grading-assignment-droppable"><%= gettext("Number of Droppable") %></label>
<input type="text" class="short" id="course-grading-assignment-droppable" value = "<%= model.get('drop_count') %>" />
<span class="tip tip-stacked"><%= gettext("The number of assignments of this type that will be dropped. The lowest scoring assignments are dropped first.") %></span>
<label for="course-grading-assignment-droppable"><%- gettext("Number of Droppable") %></label>
<input type="text" class="short" id="course-grading-assignment-droppable" value = "<%= model.get('drop_count') %>" /> <% // xss-lint: disable=underscore-not-escaped %>
<span class="tip tip-stacked"><%- gettext("The number of assignments of this type that will be dropped. The lowest scoring assignments are dropped first.") %></span>
</div>

<div class="actions">
<a href="#" class="button delete-button standard remove-item remove-grading-data"><span class="delete-icon"></span><%= gettext("Delete") %></a>
<a href="#" class="button delete-button standard remove-item remove-grading-data"><span class="delete-icon"></span><%- gettext("Delete") %></a>
</div>
</li>
8 changes: 4 additions & 4 deletions cms/templates/js/due-date-editor.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
<ul class="list-fields list-input datepair date-setter">
<li class="field field-text field-due-date">
<label for="due_date"><%= gettext('Due Date:') %></label>
<label for="due_date"><%- gettext('Due Date:') %></label>
<input type="text" id="due_date" name="due_date" value=""
placeholder="MM/DD/YYYY" class="due-date date input input-text" autocomplete="off"/>
</li>

<li class="field field-text field-due-time">
<label for="due_time"><%= gettext('Due Time in UTC:') %></label>
<label for="due_time"><%- gettext('Due Time in UTC:') %></label>
<input type="text" id="due_time" name="due_time" value=""
placeholder="HH:MM" class="due-time time input input-text" autocomplete="off" />
</li>
</ul>

<ul class="list-actions">
<li class="action-item">
<a href="#" data-tooltip="<%= gettext('Clear Grading Due Date') %>" class="clear-date action-button action-clear">
<a href="#" data-tooltip="<%- gettext('Clear Grading Due Date') %>" class="clear-date action-button action-clear">
<span class="icon fa fa-undo" aria-hidden="true"></span>
<span class="sr"><%= gettext('Clear Grading Due Date') %></span>
<span class="sr"><%- gettext('Clear Grading Due Date') %></span>
</a>
</li>
</ul>
12 changes: 6 additions & 6 deletions cms/templates/js/metadata-dict-entry.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
<div class="wrapper-comp-setting metadata-dict">
<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name')%></label>
<div id="<%= uniqueId %>" class="wrapper-dict-settings">
<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name')%></label>
<div id="<%- uniqueId %>" class="wrapper-dict-settings">
<ol class="list-settings"></ol>
<a href="#" class="create-action create-setting">
<span class="icon fa fa-plus" aria-hidden="true"></span><%= gettext("Add") %> <span class="sr"><%= model.get('display_name')%></span>
<span class="icon fa fa-plus" aria-hidden="true"></span><%- gettext("Add") %> <span class="sr"><%- model.get('display_name')%></span>
</a>
</div>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span>
<span class="sr">"<%= gettext("Clear Value") %>"</span>
<span class="sr">"<%- gettext("Clear Value") %>"</span>
</button>
</div>
<span class="tip setting-help"><%= model.get('help') %></span>
<span class="tip setting-help"><%- model.get('help') %></span>
10 changes: 5 additions & 5 deletions cms/templates/js/metadata-file-uploader-entry.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<div class="wrapper-comp-setting file-uploader">
<label class="label setting-label"><%= model.get('display_name') %></label>
<input type="hidden" id="<%= uniqueId %>" class="input setting-input" value="<%= model.get("value") %>">
<label class="label setting-label"><%- model.get('display_name') %></label>
<input type="hidden" id="<%- uniqueId %>" class="input setting-input" value="<%- model.get("value") %>">
<div class="wrapper-uploader-actions"></div>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
</button>
</div>
<span class="tip setting-help"><%= model.get('help') %></span>
<span class="tip setting-help"><%- model.get('help') %></span>
12 changes: 6 additions & 6 deletions cms/templates/js/metadata-list-entry.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
<div class="wrapper-comp-setting metadata-list-enum">
<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name')%></label>
<div id="<%= uniqueId %>" class="wrapper-list-settings">
<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name')%></label>
<div id="<%- uniqueId %>" class="wrapper-list-settings">
<ol class="list-settings">

</ol>

<a href="#" class="create-action create-setting">
<span class="icon fa fa-plus" aria-hidden="true"></span><%= gettext("Add") %> <span class="sr"><%= model.get('display_name')%></span>
<span class="icon fa fa-plus" aria-hidden="true"></span><%- gettext("Add") %> <span class="sr"><%- model.get('display_name')%></span>
</a>
</div>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span>
<span class="sr">"<%= gettext("Clear Value") %>"</span>
<span class="sr">"<%- gettext("Clear Value") %>"</span>
</button>
</div>
<span class="tip setting-help"><%= model.get('help') %></span>
<span class="tip setting-help"><%- model.get('help') %></span>
10 changes: 5 additions & 5 deletions cms/templates/js/metadata-number-entry.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
<div class="wrapper-comp-setting">
<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name') %></label>
<input class="input setting-input setting-input-number" type="number" id="<%= uniqueId %>" value='<%= model.get("value") %>'/>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name') %></label>
<input class="input setting-input setting-input-number" type="number" id="<%- uniqueId %>" value='<%- model.get("value") %>'/>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
</button>
</div>
<span class="tip setting-help"><%= model.get('help') %></span>
<span class="tip setting-help"><%- model.get('help') %></span>
14 changes: 7 additions & 7 deletions cms/templates/js/metadata-option-entry.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
<div class="wrapper-comp-setting">
<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name') %></label>
<select class="input setting-input" id="<%= uniqueId %>" name="<%= model.get('display_name') %>">
<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name') %></label>
<select class="input setting-input" id="<%- uniqueId %>" name="<%- model.get('display_name') %>">
<% _.each(model.get('options'), function(option) { %>
<% if (option.display_name !== undefined) { %>
<option value="<%= option['display_name'] %>"><%= option['display_name'] %></option>
<option value="<%- option['display_name'] %>"><%- option['display_name'] %></option>
<% } else { %>
<option value="<%= option %>"><%= option %></option>
<option value="<%- option %>"><%- option %></option>
<% } %>
<% }) %>
</select>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
<span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
</button>
</div>
<span class="tip setting-help"><%= model.get('help') %></span>
<span class="tip setting-help"><%- model.get('help') %></span>
8 changes: 4 additions & 4 deletions cms/templates/js/validation-error-modal.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<div class = "validation-error-modal-content">
<div class "error-header">
<p>
<%= _.template(
<%= _.template( // xss-lint: disable=underscore-not-escaped
ngettext(
"There was {strong_start}{num_errors} validation error{strong_end} while trying to save the course settings in the database.",
"There were {strong_start}{num_errors} validation errors{strong_end} while trying to save the course settings in the database.",
Expand All @@ -13,7 +13,7 @@
num_errors: num_errors,
strong_end: '</strong>'
})%>
<%= gettext("Please check the following validation feedbacks and reflect them in your course settings:")%></p>
<%- gettext("Please check the following validation feedbacks and reflect them in your course settings:")%></p>
</div>

<hr>
Expand All @@ -24,9 +24,9 @@
<li class = "error-item">
<span class='error-item-title'>
<span class="icon fa fa-warning" aria-hidden="true"></span>
<strong><%= value.model.display_name %></strong>:
<strong><%- value.model.display_name %></strong>:
</span>
<textarea class = "error-item-message" disabled='disabled'><%=value.message%></textarea>
<textarea class = "error-item-message" disabled='disabled'><%-value.message%></textarea>
</li>

<% }); %>
Expand Down
6 changes: 3 additions & 3 deletions cms/templates/js/verification-access-editor.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<form>
<div role="group" aria-labelledby="verification-checkpoint-title">
<h3 id="verification-checkpoint-title" class="modal-section-title"><%= gettext('Verification Checkpoint') %></h3>
<h3 id="verification-checkpoint-title" class="modal-section-title"><%- gettext('Verification Checkpoint') %></h3>
<div class="modal-section-content verification-access">
<div class="list-fields list-input">
<div class="field field-checkbox checkbox-cosmetic">
Expand All @@ -20,7 +20,7 @@
</label>

<label class="sr" for="verification-partition-select">
<%= gettext('Verification checkpoint to be completed') %>
<%- gettext('Verification checkpoint to be completed') %>
</label>

<select id="verification-partition-select">
Expand All @@ -35,7 +35,7 @@
</select>

<div id="verification-help-text" class="note">
<%= gettext("Learners who require verification must pass the selected checkpoint to see the content in this unit. Learners who do not require verification see this content by default.") %>
<%- gettext("Learners who require verification must pass the selected checkpoint to see the content in this unit. Learners who do not require verification see this content by default.") %>
</div>
</div>
</div>
Expand Down
6 changes: 3 additions & 3 deletions cms/templates/js/video/metadata-translations-entry.underscore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
<div class="wrapper-comp-setting metadata-video-translations">
<label class="label setting-label"><%= model.get('display_name')%></label>
<label class="label setting-label"><%- model.get('display_name')%></label>
<input class="upload-transcript-input is-hidden" type="file" name="file" accept=".srt"/>
<div class="wrapper-translations-settings">
<ol class="list-settings"></ol>
<a href="#" class="create-action create-setting">
<span class="icon fa fa-plus" aria-hidden="true"></span><%= gettext("Add") %> <span class="sr"><%= model.get('display_name')%></span>
<span class="icon fa fa-plus" aria-hidden="true"></span><%- gettext("Add") %> <span class="sr"><%- model.get('display_name')%></span>
</a>
</div>
</div>
<span class="tip setting-help"><%= model.get('help') %></span>
<span class="tip setting-help"><%- model.get('help') %></span>
Loading