From 4cbccce4e21970769be0e8ef63fd225e6e92bea3 Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Mon, 24 Aug 2020 16:15:19 +0500 Subject: [PATCH 1/8] PROD-1611 --- lms/templates/components/card/card.underscore | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lms/templates/components/card/card.underscore b/lms/templates/components/card/card.underscore index 178d102b2983..06e8483ea038 100644 --- a/lms/templates/components/card/card.underscore +++ b/lms/templates/components/card/card.underscore @@ -6,7 +6,7 @@ <% } %>

- aria-describedby="<%= srInfo.id %>" + aria-describedby="<%- srInfo.id %>" <% } %> ><%- title %>

@@ -17,7 +17,8 @@
- <%= action_content %> + <% // xss-lint: disable=underscore-not-escaped %> + <%= action_content %>
<% } else { %> @@ -28,14 +29,15 @@ <% } %>

- aria-describedby="<%= srInfo.id %>" + aria-describedby="<%- srInfo.id %>" <% } %> ><%- title %>

<%- description %>

- <%= action_content %> + <% // xss-lint: disable=underscore-not-escaped %> + <%= action_content %>
From e6a080ed4d39e284f204409033cb452a4f5df249 Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Mon, 24 Aug 2020 16:35:52 +0500 Subject: [PATCH 2/8] PROD-1608 --- lms/templates/edxnotes/note-item.underscore | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lms/templates/edxnotes/note-item.underscore b/lms/templates/edxnotes/note-item.underscore index 941127984f15..2ed78b7d34f1 100644 --- a/lms/templates/edxnotes/note-item.underscore +++ b/lms/templates/edxnotes/note-item.underscore @@ -18,6 +18,7 @@

  • <%- gettext("You commented...") %>

    + <% // xss-lint: disable=underscore-not-escaped %> <%= interpolate_text(_.escape(text), { elasticsearch_highlight_start: '', elasticsearch_highlight_end: '' @@ -32,7 +33,7 @@

    <%- gettext("Noted in:") %>

    <% if (unit.url) { %> - <%- unit.display_name %> + <%- unit.display_name %> <% } else { %> <%- unit.display_name %> <% } %> @@ -44,6 +45,7 @@

    <%- gettext("Tags:") %>

    <% for (var i = 0; i < tags.length; i++) { %> + <% // xss-lint: disable=underscore-not-escaped %> <%= interpolate_text(_.escape(tags[i]), { elasticsearch_highlight_start: '', elasticsearch_highlight_end: '' From 51577629ea0a8d29354f6f1da3d67cd288364af6 Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Mon, 24 Aug 2020 16:36:39 +0500 Subject: [PATCH 3/8] PROD-1607 --- lms/templates/edxnotes/tab-item.underscore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lms/templates/edxnotes/tab-item.underscore b/lms/templates/edxnotes/tab-item.underscore index 91b6de9814f6..86530d1cd8bf 100644 --- a/lms/templates/edxnotes/tab-item.underscore +++ b/lms/templates/edxnotes/tab-item.underscore @@ -1,7 +1,7 @@ <% var hasIcon = icon ? 1 : 0; %> - <% if (hasIcon) { %> <% } %><%- gettext(name) %> + <% if (hasIcon) { %> <% } %><%- gettext(name) %> <% if (is_closable) { %> From 71322bb4fe82d94c019473537c37d3e0e3d6077a Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Mon, 24 Aug 2020 16:37:01 +0500 Subject: [PATCH 4/8] PROD-1606 --- lms/templates/fields/field_image.underscore | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lms/templates/fields/field_image.underscore b/lms/templates/fields/field_image.underscore index 79c422ed30e0..07ce9cf3e7c6 100644 --- a/lms/templates/fields/field_image.underscore +++ b/lms/templates/fields/field_image.underscore @@ -1,16 +1,18 @@
    - <%=imageAltText%> + <%-imageAltText%>
    - +
    From b5cee96c5628ece98d5b33f9f0f7ee745311e2b5 Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Mon, 24 Aug 2020 16:38:03 +0500 Subject: [PATCH 5/8] PROD-1601 --- .../enrollment-code-lookup-links.underscore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore index 1052b32bc65e..88b3c773971f 100644 --- a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore +++ b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore @@ -12,7 +12,7 @@ <%- is_registration_code_valid %> <% _.each(actions, function(action){ %> - + <%- action.action_name %> <% }); %> From a36904e6ee6a4d9761346de3c79f49f54ca5f6b9 Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Mon, 24 Aug 2020 16:38:22 +0500 Subject: [PATCH 6/8] PROD-1600 --- lms/templates/learner_dashboard/program_card.underscore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lms/templates/learner_dashboard/program_card.underscore b/lms/templates/learner_dashboard/program_card.underscore index 11c474b5ae02..de98c952dd15 100644 --- a/lms/templates/learner_dashboard/program_card.underscore +++ b/lms/templates/learner_dashboard/program_card.underscore @@ -57,7 +57,7 @@ - +
    From e65874c6a35957e1b675a5a4d5a826550db2a523 Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Fri, 28 Aug 2020 18:20:56 +0500 Subject: [PATCH 7/8] PROD-1618 --- lms/templates/video.html | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lms/templates/video.html b/lms/templates/video.html index d475106caba3..51fcddd3eabc 100644 --- a/lms/templates/video.html +++ b/lms/templates/video.html @@ -2,7 +2,9 @@ <%! from django.utils.translation import ugettext as _ -from openedx.core.djangolib.js_utils import js_escaped_string +from openedx.core.djangolib.js_utils import ( + dump_js_escaped_json, js_escaped_string +) %> % if display_name is not UNDEFINED and display_name is not None:

    ${display_name}

    @@ -98,14 +100,14 @@

    ${_('Handouts')}

    var salt = Math.floor((1 + Math.random()) * 0x100000).toString(36); var id = "${id | n, js_escaped_string}"; function initializeCDNExperiment() { - sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, "", "load"); + sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, "", "load"); cdnStartTime = Date.now(); $.each(['loadstart', 'abort', 'error', 'stalled', 'loadedmetadata', 'loadeddata', 'canplay', 'canplaythrough', 'seeked'], function(index, eventName) { $("#video_" + id).bind("html5:" + eventName, null, function() { timeElapsed = Date.now() - cdnStartTime; - sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, timeElapsed, eventName); + sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, timeElapsed, eventName); }); }); } From 893a01f1bf0908c8a2639f0a1b9fb67bdf0e6f1b Mon Sep 17 00:00:00 2001 From: Ali-D-Akbar Date: Fri, 28 Aug 2020 18:43:54 +0500 Subject: [PATCH 8/8] PROD-1613 --- lms/templates/ccx/coach_dashboard.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lms/templates/ccx/coach_dashboard.html b/lms/templates/ccx/coach_dashboard.html index 498a8d583a19..0fb54c584836 100644 --- a/lms/templates/ccx/coach_dashboard.html +++ b/lms/templates/ccx/coach_dashboard.html @@ -129,8 +129,9 @@

    ${_("CCX Coach Dashboard")}

    studentId = $('', { type: 'hidden', name: 'student-id', - value: selectedStudent + value: edx.HtmlUtils.ensureHtml(selectedStudent) }); + // xss-lint: disable=javascript-jquery-append form.append(action, studentId).submit(); } }); @@ -153,7 +154,7 @@

    ${_("CCX Coach Dashboard")}

    $errorMessage.show(); return false; } else if (hasCcxConnector) { - $errorMessage.html('${use_ccx_con_error_message | n, js_escaped_string}'); + $errorMessage.text('${use_ccx_con_error_message | n, js_escaped_string}'); $errorMessage.show(); return false; }