From 0e45ecb743a1f329be825367e72695af4113f882 Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Wed, 22 Jul 2020 18:32:29 +0500 Subject: [PATCH] Sustaining xss fixes This commit contains xsslint fixes for the following Jira Tickets: PROD-1661 PROD-1663 PROD-1665 PROD-1727 PROD-1729 PROD-1731 PROD-1732 PROD-1795 --- .../views/video/transcripts/file_uploader.js | 18 +++++++++-------- cms/templates/edit-tabs.html | 2 +- cms/templates/manage_users_lib.html | 4 +++- .../views/pay_and_verify_view.js | 5 ++++- .../js/verify_student/views/reverify_view.js | 5 ++++- lms/static/js/views/image_field.js | 20 ++++++++++--------- lms/static/js/views/notification.js | 2 +- lms/templates/split_test_author_view.html | 15 +++++++++----- 8 files changed, 44 insertions(+), 27 deletions(-) diff --git a/cms/static/js/views/video/transcripts/file_uploader.js b/cms/static/js/views/video/transcripts/file_uploader.js index 2acd158c1cb8..8edab306a588 100644 --- a/cms/static/js/views/video/transcripts/file_uploader.js +++ b/cms/static/js/views/video/transcripts/file_uploader.js @@ -1,9 +1,11 @@ define( [ 'jquery', 'backbone', 'underscore', - 'js/views/video/transcripts/utils' + 'js/views/video/transcripts/utils', + 'edx-ui-toolkit/js/utils/html-utils' ], -function($, Backbone, _, TranscriptUtils) { +function($, Backbone, _, TranscriptUtils, HtmlUtils) { + 'use strict'; var FileUploader = Backbone.View.extend({ invisibleClass: 'is-invisible', @@ -37,9 +39,8 @@ function($, Backbone, _, TranscriptUtils) { return; } - this.template = _.template(tpl); - - tplContainer.html(this.template({ + this.template = HtmlUtils.template(tpl); + HtmlUtils.setHtml(tplContainer, this.template({ ext: this.validFileExtensions, component_locator: this.options.component_locator })); @@ -126,11 +127,12 @@ function($, Backbone, _, TranscriptUtils) { * */ checkExtValidity: function(file) { + var fileExtension; if (!file.name) { return void(0); } - var fileExtension = file.name + fileExtension = file.name .split('.') .pop() .toLowerCase(); @@ -153,7 +155,7 @@ function($, Backbone, _, TranscriptUtils) { this.$progress .width(percentVal) - .html(percentVal) + .text(percentVal) .removeClass(this.invisibleClass); }, @@ -177,7 +179,7 @@ function($, Backbone, _, TranscriptUtils) { this.$progress .width(percentVal) - .html(percentVal); + .text(percentVal); }, /** diff --git a/cms/templates/edit-tabs.html b/cms/templates/edit-tabs.html index 7ee868aaa520..c9e30c322399 100644 --- a/cms/templates/edit-tabs.html +++ b/cms/templates/edit-tabs.html @@ -21,7 +21,7 @@ <%block name="page_bundle"> <%static:webpack entry="js/factories/edit_tabs"> - EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id})}"); + EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id}) | n, js_escaped_string}"); diff --git a/cms/templates/manage_users_lib.html b/cms/templates/manage_users_lib.html index 4d9e4e1aa2c1..0800be9eb5d0 100644 --- a/cms/templates/manage_users_lib.html +++ b/cms/templates/manage_users_lib.html @@ -1,3 +1,5 @@ +<%page expression_filter="h"/> + <%inherit file="base.html" /> <%! from django.utils.translation import ugettext as _ @@ -110,7 +112,7 @@

${_("Library Access Roles")}

<%block name="requirejs"> require(["js/factories/manage_users_lib"], function(ManageLibraryUsersFactory) { ManageLibraryUsersFactory( - "${context_library.display_name_with_default | h}", + "${context_library.display_name_with_default | n, js_escaped_string}", ${users | n, dump_js_escaped_json}, "${reverse('course_team_handler', kwargs={'course_key_string': library_key, 'email': '@@EMAIL@@'}) | n, js_escaped_string}", ${request.user.id | n, dump_js_escaped_json}, diff --git a/lms/static/js/verify_student/views/pay_and_verify_view.js b/lms/static/js/verify_student/views/pay_and_verify_view.js index 452b0cb73123..4dd4d4d16f21 100644 --- a/lms/static/js/verify_student/views/pay_and_verify_view.js +++ b/lms/static/js/verify_student/views/pay_and_verify_view.js @@ -126,7 +126,10 @@ var edx = edx || {}; // Get or create the step container $stepEl = $('#current-step-container'); if (!$stepEl.length) { - $stepEl = $('
').appendTo(this.el); + $stepEl = edx.HtmlUtils.append( + $(this.el), + edx.HtmlUtils.HTML('
').toString() + ); } // Render the subview diff --git a/lms/static/js/verify_student/views/reverify_view.js b/lms/static/js/verify_student/views/reverify_view.js index 43257138b33a..b61ca2f1b507 100644 --- a/lms/static/js/verify_student/views/reverify_view.js +++ b/lms/static/js/verify_student/views/reverify_view.js @@ -83,7 +83,10 @@ // Get or create the step container $stepEl = $('#current-step-container'); if (!$stepEl.length) { - $stepEl = $('
').appendTo(this.el); + $stepEl = edx.HtmlUtils.append( + $(this.el), + edx.HtmlUtils.HTML('
').toString() + ); } // Render the step subview diff --git a/lms/static/js/views/image_field.js b/lms/static/js/views/image_field.js index d5687596175e..3a4b427c15df 100644 --- a/lms/static/js/views/image_field.js +++ b/lms/static/js/views/image_field.js @@ -1,15 +1,16 @@ (function(define) { 'use strict'; define([ - 'gettext', 'jquery', 'underscore', 'backbone', 'js/views/fields', + 'gettext', 'jquery', 'underscore', 'backbone', + 'edx-ui-toolkit/js/utils/html-utils', 'js/views/fields', 'text!templates/fields/field_image.underscore', 'backbone-super', 'jquery.fileupload' - ], function(gettext, $, _, Backbone, FieldViews, field_image_template) { + ], function(gettext, $, _, Backbone, HtmlUtils, FieldViews, FieldImageTemplate) { var ImageFieldView = FieldViews.FieldView.extend({ fieldType: 'image', - fieldTemplate: field_image_template, + fieldTemplate: FieldImageTemplate, uploadButtonSelector: '.upload-button-input', titleAdd: gettext('Upload an image'), @@ -44,7 +45,7 @@ }, render: function() { - this.$el.html(this.template({ + var attributes = { id: this.options.valueAttribute, inputName: (this.options.inputName || 'file'), imageUrl: _.result(this, 'imageUrl'), @@ -54,7 +55,8 @@ removeButtonIcon: _.result(this, 'iconRemove'), removeButtonTitle: _.result(this, 'removeButtonTitle'), screenReaderTitle: _.result(this, 'screenReaderTitle') - })); + }; + this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString()); this.delegateEvents(); this.updateButtonsVisibility(); this.watchForPageUnload(); @@ -184,14 +186,14 @@ showUploadInProgressMessage: function() { this.$('.u-field-upload-button').addClass('in-progress'); - this.$('.upload-button-icon').html(this.iconProgress); - this.$('.upload-button-title').html(this.titleUploading); + HtmlUtils.setHtml(this.$('.upload-button-icon'), HtmlUtils.HTML(this.iconProgress)); + HtmlUtils.setHtml(this.$('.upload-button-title'), HtmlUtils.HTML(this.titleUploading)); }, showRemovalInProgressMessage: function() { this.$('.u-field-remove-button').css('opacity', 1); - this.$('.remove-button-icon').html(this.iconProgress); - this.$('.remove-button-title').html(this.titleRemoving); + HtmlUtils.setHtml(this.$('.remove-button-icon'), HtmlUtils.HTML(this.iconProgress)); + HtmlUtils.setHtml(this.$('.remove-button-title'), HtmlUtils.HTML(this.titleRemoving)); }, setCurrentStatus: function(status) { diff --git a/lms/static/js/views/notification.js b/lms/static/js/views/notification.js index a5cc328f179c..1187e8478bb8 100644 --- a/lms/static/js/views/notification.js +++ b/lms/static/js/views/notification.js @@ -9,7 +9,7 @@ }, render: function() { - this.$el.html(this.template({ + this.$el.html(this.template({ // xss-lint: disable=javascript-jquery-html type: this.model.get('type'), title: this.model.get('title'), message: this.model.get('message'), diff --git a/lms/templates/split_test_author_view.html b/lms/templates/split_test_author_view.html index ede487e199f0..534777d0b16d 100644 --- a/lms/templates/split_test_author_view.html +++ b/lms/templates/split_test_author_view.html @@ -1,4 +1,9 @@ -<%! from django.utils.translation import ugettext as _ %> +<%page expression_filter="h"/> + +<%! + from django.utils.translation import ugettext as _ + from openedx.core.djangolib.markup import HTML, Text +%> <% split_test = context.get('split_test') @@ -11,8 +16,8 @@

- ${_("This content experiment uses group configuration '{group_configuration_name}'.").format( - group_configuration_name="{}".format(group_configuration_url, user_partition.name) if show_link else user_partition.name + ${Text(_("This content experiment uses group configuration '{group_configuration_name}'.")).format( + group_configuration_name=Text(HTML("{}")).format(group_configuration_url, user_partition.name) if show_link else user_partition.name )}

@@ -23,13 +28,13 @@ % if is_root:

${_("Active Groups")}

- ${active_groups_preview} + ${HTML(active_groups_preview)}
% if inactive_groups_preview:

${_("Inactive Groups")}

- ${inactive_groups_preview} + ${HTML(inactive_groups_preview)}
% endif % endif