Merge pull request #202 from edx/sustaining/security-fixes-5

Sustaining/security fixes 5
appsembler · Sep 7, 2020 · f87e1d2 · f87e1d2
2 parents e637704 + 893a01f
commit f87e1d2
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 19 deletions.
diff --git a/lms/templates/ccx/coach_dashboard.html b/lms/templates/ccx/coach_dashboard.html
@@ -129,8 +129,9 @@ <h2 class="hd hd-2" id="header-ccx-dashboard">${_("CCX Coach Dashboard")}</h2>
           studentId = $('<input />', {
             type: 'hidden',
             name: 'student-id',
-            value: selectedStudent
+            value: edx.HtmlUtils.ensureHtml(selectedStudent)
           });
+          // xss-lint: disable=javascript-jquery-append
           form.append(action, studentId).submit();
         }
     });
@@ -153,7 +154,7 @@ <h2 class="hd hd-2" id="header-ccx-dashboard">${_("CCX Coach Dashboard")}</h2>
       $errorMessage.show();
       return false;
     } else if (hasCcxConnector) {
-      $errorMessage.html('${use_ccx_con_error_message | n, js_escaped_string}');
+      $errorMessage.text('${use_ccx_con_error_message | n, js_escaped_string}');
       $errorMessage.show();
       return false;
     }

diff --git a/lms/templates/components/card/card.underscore b/lms/templates/components/card/card.underscore
@@ -6,7 +6,7 @@
         <% } %>
         <h3 class="card-title"
             <% if (!_.isUndefined(srInfo)) { %>
-                aria-describedby="<%= srInfo.id %>"
+                aria-describedby="<%- srInfo.id %>"
             <% } %>
             ><%- title %>
         </h3>
@@ -17,7 +17,8 @@
     <div class="card-meta">
     </div>
     <div class="card-actions">
-        <a class="action <%= action_class %>" href="<%= action_url %>"><%= action_content %></a>
+        <% // xss-lint: disable=underscore-not-escaped %>
+        <a class="action <%- action_class %>" href="<%- action_url %>"><%= action_content %></a>
     </div>
 </div>
 <% } else { %>
@@ -28,14 +29,15 @@
         <% } %>
         <h3 class="card-title"
             <% if (!_.isUndefined(srInfo)) { %>
-                aria-describedby="<%= srInfo.id %>"
+                aria-describedby="<%- srInfo.id %>"
             <% } %>
             ><%- title %>
         </h3>
         <p class="card-description"><%- description %></p>
     </div>
     <div class="card-actions">
-        <a class="action <%= action_class %>" href="<%= action_url %>"><%= action_content %></a>
+        <% // xss-lint: disable=underscore-not-escaped %>
+        <a class="action <%- action_class %>" href="<%- action_url %>"><%= action_content %></a>
     </div>
 </div>
 <div class="wrapper-card-meta">

diff --git a/lms/templates/edxnotes/note-item.underscore b/lms/templates/edxnotes/note-item.underscore
@@ -18,6 +18,7 @@
         <li class="note-comment">
             <p class="note-comment-title"><%- gettext("You commented...") %></p>
             <p class="note-comment-p">
+                <% // xss-lint: disable=underscore-not-escaped %>
                 <%= interpolate_text(_.escape(text), {
                     elasticsearch_highlight_start: '<span class="note-highlight">',
                     elasticsearch_highlight_end: '</span>'
@@ -32,7 +33,7 @@
     <div class="wrapper-reference-content">
         <p class="reference-title"><%- gettext("Noted in:") %></p>
         <% if (unit.url) { %>
-          <a class="reference-meta reference-unit-link" href="<%= unit.url %>#<%= id %>"><%- unit.display_name %></a>
+          <a class="reference-meta reference-unit-link" href="<%- unit.url %>#<%- id %>"><%- unit.display_name %></a>
         <% } else { %>
           <span class="reference-meta"><%- unit.display_name %></span>
         <% } %>
@@ -44,6 +45,7 @@
             <p class="reference-title"><%- gettext("Tags:") %></p>
             <% for (var i = 0; i < tags.length; i++) { %>
                 <span class="reference-meta reference-tags">
+                    <% // xss-lint: disable=underscore-not-escaped %>
                     <%= interpolate_text(_.escape(tags[i]), {
                         elasticsearch_highlight_start: '<span class="note-highlight">',
                         elasticsearch_highlight_end: '</span>'

diff --git a/lms/templates/edxnotes/tab-item.underscore b/lms/templates/edxnotes/tab-item.underscore
@@ -1,7 +1,7 @@
 <% var hasIcon = icon ? 1 : 0; %>
 
 <a class="tab-label <% if (hasIcon) { print('has-icon') } %>" href="#">
-  <% if (hasIcon) { %><span class="icon <%= icon %>" aria-hidden="true"></span> <% } %><%- gettext(name) %>
+  <% if (hasIcon) { %><span class="icon <%- icon %>" aria-hidden="true"></span> <% } %><%- gettext(name) %>
 </a>
 
 <% if (is_closable) { %>

diff --git a/lms/templates/fields/field_image.underscore b/lms/templates/fields/field_image.underscore
@@ -1,16 +1,18 @@
 <div class="image-wrapper">
-    <img class="image-frame" src="<%- imageUrl %>"  alt="<%=imageAltText%>"/>
+    <img class="image-frame" src="<%- imageUrl %>"  alt="<%-imageAltText%>"/>
     <div class="u-field-actions">
         <label class="u-field-upload-button">
+            <% // xss-lint: disable=underscore-not-escaped %>
             <span class="upload-button-icon" aria-hidden="true"><%= uploadButtonIcon %></span>
-            <span class="upload-button-title" aria-live="polite"><%= uploadButtonTitle %></span>
-            <input class="upload-button-input" type="file" name="<%= inputName %>"/>
+            <span class="upload-button-title" aria-live="polite"><%- uploadButtonTitle %></span>
+            <input class="upload-button-input" type="file" name="<%- inputName %>"/>
        	</label>
-       	<button class="upload-submit" type="button" hidden="true"><%= uploadButtonTitle %></button>
+       	<button class="upload-submit" type="button" hidden="true"><%- uploadButtonTitle %></button>
         <button class="u-field-remove-button" type="button">
+            <% // xss-lint: disable=underscore-not-escaped %>
             <span class="remove-button-icon" aria-hidden="true"><%= removeButtonIcon %></span>
-            <span class="remove-button-title" aria-live="polite"><%= removeButtonTitle %></span>
-            <span class="sr"><%= screenReaderTitle %></span>
+            <span class="remove-button-title" aria-live="polite"><%- removeButtonTitle %></span>
+            <span class="sr"><%- screenReaderTitle %></span>
         </button>
     </div>
 </div>
diff --git a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore
@@ -12,7 +12,7 @@
             <td> <%- is_registration_code_valid %> </td>
             <td>
                 <% _.each(actions, function(action){ %>
-                    <a class="registration_code_action_link" data-registration-code="<%= action.registration_code %>" data-action-type="<%= action.action_type %>" href="#" data-endpoint="<%= action.action_url %>">
+                    <a class="registration_code_action_link" data-registration-code="<%- action.registration_code %>" data-action-type="<%- action.action_type %>" href="#" data-endpoint="<%- action.action_url %>">
                         <%- action.action_name %>
                     </a>
                 <% }); %>

diff --git a/lms/templates/learner_dashboard/program_card.underscore b/lms/templates/learner_dashboard/program_card.underscore
@@ -57,7 +57,7 @@
             <source srcset="<%- smallBannerUrl %>" media="(max-width: <%- breakpoints.max.small %>)">
             <source srcset="<%- mediumBannerUrl %>" media="(max-width: <%- breakpoints.max.medium %>)">
             <source srcset="<%- xsmallBannerUrl %>" media="(max-width: <%- breakpoints.max.large %>)">
-            <img class="banner-image" srcset="<%- smallBannerUrl %>" alt="<%= interpolate(gettext('%(programName)s Home Page.'), {programName: title}, true)%>">
+            <img class="banner-image" srcset="<%- smallBannerUrl %>" alt="<%- interpolate(gettext('%(programName)s Home Page.'), {programName: title}, true)%>">
         </picture>
     </div>
 </a>
diff --git a/lms/templates/video.html b/lms/templates/video.html
@@ -2,7 +2,9 @@
 
 <%!
 from django.utils.translation import ugettext as _
-from openedx.core.djangolib.js_utils import js_escaped_string
+from openedx.core.djangolib.js_utils import (
+    dump_js_escaped_json, js_escaped_string
+)
 %>
 % if display_name is not UNDEFINED and display_name is not None:
     <h3 class="hd hd-2">${display_name}</h3>
@@ -98,14 +100,14 @@ <h4 class="hd hd-5">${_('Handouts')}</h4>
   var salt = Math.floor((1 + Math.random()) * 0x100000).toString(36);
   var id = "${id | n, js_escaped_string}";
   function initializeCDNExperiment() {
-    sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, "", "load");
+    sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, "", "load");
     cdnStartTime = Date.now();
     $.each(['loadstart', 'abort', 'error', 'stalled', 'loadedmetadata',
                     'loadeddata', 'canplay', 'canplaythrough', 'seeked'],
                     function(index, eventName) {
       $("#video_" + id).bind("html5:" + eventName, null, function() {
         timeElapsed = Date.now() - cdnStartTime;
-        sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, timeElapsed, eventName);
+        sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, timeElapsed, eventName);
       });
     });
   }