fix: Incident Security Fixes 10

edx-olive · Apr 5, 2021 · b8a0f18 · b8a0f18
1 parent 979b9e9
commit b8a0f18
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 17 deletions.
diff --git a/common/djangoapps/third_party_auth/templates/third_party_auth/post_custom_auth_entry.html b/common/djangoapps/third_party_auth/templates/third_party_auth/post_custom_auth_entry.html
@@ -2,7 +2,7 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
-    <title>{% trans "Please wait" %}</title>
+    <title>{% trans "Please wait" as tmsg %}{{tmsg|force_escape}}</title>
     <style type="text/css">
     #djDebug {display:none;}
     </style>

diff --git a/common/lib/xmodule/xmodule/js/src/collapsible.js b/common/lib/xmodule/xmodule/js/src/collapsible.js
@@ -29,7 +29,7 @@
 
         // Standard longform + shortfom pattern.
         el.find('.longform').hide();
-        el.find('.shortform').append(linkTop, linkBottom);
+        el.find('.shortform').append(linkTop, linkBottom); // xss-lint: disable=javascript-jquery-append
 
         // Custom longform + shortform text pattern.
         short_custom = el.find('.shortform-custom');
@@ -40,7 +40,14 @@
 
             open_text = $(elt).data('open-text');
             close_text = $(elt).data('close-text');
-            $(elt).append("<a href='#' class='full-custom'>" + open_text + '</a>');
+            edx.HtmlUtils.append(
+                $(elt),
+                edx.HtmlUtils.joinHtml(
+                    edx.HtmlUtils.HTML("<a href='#' class='full-custom'>"),
+                    gettext(open_text),
+                    edx.HtmlUtils.HTML('</a>')
+                )
+            );
 
             $(elt).find('.full-custom').click(function(event) {
                 Collapsible.toggleFull(event, open_text, close_text);

diff --git a/lms/static/js/api_admin/views/catalog_preview.js b/lms/static/js/api_admin/views/catalog_preview.js
@@ -6,8 +6,9 @@
         'underscore',
         'gettext',
         'text!../../../templates/api_admin/catalog-results.underscore',
-        'text!../../../templates/api_admin/catalog-error.underscore'
-    ], function(Backbone, _, gettext, catalogResultsTpl, catalogErrorTpl) {
+        'text!../../../templates/api_admin/catalog-error.underscore',
+        'edx-ui-toolkit/js/utils/html-utils'
+    ], function(Backbone, _, gettext, catalogResultsTpl, catalogErrorTpl, HtmlUtils) {
         return Backbone.View.extend({
 
             events: {
@@ -20,9 +21,8 @@
             },
 
             render: function() {
-                this.$('#id_query').after(
-                    '<button class="preview-query">' + gettext('Preview this query') + '</button>'
-                );
+                // eslint-disable-next-line
+                this.$('#id_query').after(HtmlUtils.joinHtml(HtmlUtils.HTML('<button class="preview-query">'), gettext('Preview this query'), HtmlUtils.HTML('</button>')).toString());
                 return this;
             },
 
@@ -44,7 +44,10 @@
                     method: 'GET',
                     success: _.bind(this.renderCourses, this),
                     error: _.bind(function() {
-                        this.$('.preview-results').html(_.template(catalogErrorTpl)({}));
+                        HtmlUtils.setHtml(
+                            this.$('.preview-results'),
+                            HtmlUtils.template(catalogErrorTpl)({})
+                        );
                     }, this)
                 });
             },
@@ -54,10 +57,13 @@
              * courses API.
              */
             renderCourses: function(data) {
-                this.$('.preview-results').html(_.template(catalogResultsTpl)({
-                    courses: data.results,
-                    catalogApiUrl: this.catalogApiUrl
-                }));
+                HtmlUtils.setHtml(
+                    this.$('.preview-results'),
+                    HtmlUtils.template(catalogResultsTpl)({
+                        courses: data.results,
+                        catalogApiUrl: this.catalogApiUrl
+                    })
+                );
             }
         });
     });

diff --git a/lms/static/js/discovery/views/filter_bar.js b/lms/static/js/discovery/views/filter_bar.js
@@ -5,8 +5,9 @@
         'backbone',
         'gettext',
         'js/discovery/models/filter',
-        'js/discovery/views/filter_label'
-    ], function($, _, Backbone, gettext, Filter, FilterLabel) {
+        'js/discovery/views/filter_label',
+        'edx-ui-toolkit/js/utils/html-utils'
+    ], function($, _, Backbone, gettext, Filter, FilterLabel, HtmlUtils) {
         'use strict';
 
         return Backbone.View.extend({
@@ -20,15 +21,18 @@
             },
 
             initialize: function() {
-                this.tpl = _.template($(this.templateId).html());
+                this.tpl = HtmlUtils.template($(this.templateId).html());
                 this.render();
                 this.listenTo(this.collection, 'remove', this.hideIfEmpty);
                 this.listenTo(this.collection, 'add', this.addFilter);
                 this.listenTo(this.collection, 'reset', this.resetFilters);
             },
 
             render: function() {
-                this.$el.html(this.tpl());
+                HtmlUtils.setHtml(
+                    this.$el,
+                    this.tpl()
+                );
                 this.$ul = this.$el.find('ul');
                 this.$el.addClass('is-animated');
                 return this;