Security patch for file upload XSS issue (Studio). (#24)

edx-olive · Apr 28, 2020 · 4091a43 · 4091a43
1 parent 7fc57cc
commit 4091a43
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cms/static/js/models/uploads.js b/cms/static/js/models/uploads.js
@@ -14,7 +14,7 @@ define(['backbone', 'underscore', 'gettext'], function(Backbone, _, gettext) {
         validate: function(attrs, options) {
             if (attrs.selectedFile && !this.checkTypeValidity(attrs.selectedFile)) {
                 return {
-                    message: _.template(gettext('Only <%= fileTypes %> files can be uploaded. Please select a file ending in <%= fileExtensions %> to upload.'))(  // eslint-disable-line max-len
+                    message: _.template(gettext('Only <%- fileTypes %> files can be uploaded. Please select a file ending in <%- (fileExtensions) %> to upload.'))(  // eslint-disable-line max-len
                     this.formatValidTypes()
                 ),
                     attributes: {selectedFile: true}
@@ -62,7 +62,7 @@ define(['backbone', 'underscore', 'gettext'], function(Backbone, _, gettext) {
             }
             var or = gettext('or');
             var formatTypes = function(types) {
-                return _.template('<%= initial %> <%= or %> <%= last %>')({
+                return _.template('<%- initial %> <%- or %> <%- last %>')({
                     initial: _.initial(types).join(', '),
                     or: or,
                     last: _.last(types)