Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XSS vulnerability in which unescaped template values were being p…
…asted into OEditor fields.

	Change on 2015/03/24 by jorr <jorr@google.com>
-------------
Created by MOE: http://code.google.com/p/moe-java
MOE_MIGRATED_REVID=89464922
  • Loading branch information
jorr-at-google authored and psimakov committed Apr 3, 2015
1 parent faa19d3 commit e39645f
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 14 deletions.
24 changes: 12 additions & 12 deletions coursebuilder/modules/oeditor/oeditor.html
Expand Up @@ -70,32 +70,32 @@
var cb_global = {};

// various URL's needed by the form
cb_global.get_url = '{{ get_url }}';
cb_global.save_url = '{{ save_url }}';
cb_global.get_url = '{{ get_url|js_string }}';
cb_global.save_url = '{{ save_url|js_string }}';
cb_global.save_args = JSON.parse("{{ save_args|js_string }}");
cb_global.exit_button_caption = '{{ exit_button_caption }}';
cb_global.exit_url = '{{ exit_url }}';
cb_global.save_method = '{{ save_method }}';
cb_global.exit_button_caption = '{{ exit_button_caption|js_string }}';
cb_global.exit_url = '{{ exit_url|js_string }}';
cb_global.save_method = '{{ save_method|js_string }}';
cb_global.auto_return = {% if auto_return %}true{% else %}false{% endif %};
cb_global.bundle_lib_files = {% if bundle_lib_files %}true{% else %}false{% endif %};

// If this value is '', deletions are not allowed
cb_global.delete_url = '{{ delete_url }}';
cb_global.delete_method = '{{ delete_method }}';
cb_global.delete_url = '{{ delete_url|js_string }}';
cb_global.delete_method = '{{ delete_method|js_string }}';

// button captions
cb_global.delete_button_caption = '{{ delete_button_caption }}'
cb_global.save_button_caption = '{{ save_button_caption }}'
cb_global.delete_button_caption = '{{ delete_button_caption|js_string }}'
cb_global.save_button_caption = '{{ save_button_caption|js_string }}'
cb_global.custom_rte_tag_icons = JSON.parse("{{ custom_rte_tag_icons|js_string }}");

cb_global.required_modules = [{% for module in required_modules %}
'{{ module }}'{% if not loop.last %},{% endif %}{% endfor %}];
'{{ module|js_string }}'{% if not loop.last %},{% endif %}{% endfor %}];
cb_global.schema = JSON.parse("{{ schema|js_string }}");
cb_global.delete_message = '{{ delete_message }}';
cb_global.delete_message = '{{ delete_message|js_string }}';
cb_global.can_highlight_code = {% if can_highlight_code %}true{% else %}false{% endif %};
cb_global.load_schema_with_annotations = function(schema) {
{% for annotation in schema_annotations %}
schema.root{% for element in annotation[0] %}['{{element}}']{% endfor %}
schema.root{% for element in annotation[0] %}['{{element|js_string}}']{% endfor %}
= JSON.parse("{{ annotation[1]|js_string }}")
{% endfor %}
}
Expand Down
2 changes: 1 addition & 1 deletion coursebuilder/modules/oeditor/oeditor.py
Expand Up @@ -147,7 +147,7 @@ def get_html_for(
'save_url': post_url,
'save_args': transforms.dumps(post_args),
'exit_button_caption': exit_button_caption,
'exit_url': jinja2.Markup(exit_url), # suppress & -> &amp; in url
'exit_url': exit_url,
'required_modules': COMMON_REQUIRED_MODULES + required_modules,
'extra_css_files': extra_css_files or [],
'extra_js_files': extra_js_files or [],
Expand Down
3 changes: 2 additions & 1 deletion coursebuilder/tests/functional/admin_settings.py
Expand Up @@ -559,5 +559,6 @@ def test_exit_url(self):
'tab': 'data_pump'})})
response = self.get(url)
self.assertIn(
'cb_global.exit_url = \'dashboard?action=analytics&tab=data_pump\'',
'cb_global.exit_url = \'dashboard?action=analytics'
'\\u0026tab=data_pump\'',
response.body)

0 comments on commit e39645f

Please sign in to comment.