Incident Management Security Fixes 7

cms/templates/js/due-date-editor.underscore

@@ -1,22 +1,22 @@
 <ul class="list-fields list-input datepair date-setter">
     <li class="field field-text field-due-date">
-        <label for="due_date"><%= gettext('Due Date:') %></label>
+        <label for="due_date"><%- gettext('Due Date:') %></label>
         <input type="text" id="due_date" name="due_date" value=""
             placeholder="MM/DD/YYYY" class="due-date date input input-text" autocomplete="off"/>
     </li>
 
     <li class="field field-text field-due-time">
-        <label for="due_time"><%= gettext('Due Time in UTC:') %></label>
+        <label for="due_time"><%- gettext('Due Time in UTC:') %></label>
         <input type="text" id="due_time" name="due_time" value=""
             placeholder="HH:MM" class="due-time time input input-text" autocomplete="off" />
     </li>
 </ul>
 
 <ul class="list-actions">
     <li class="action-item">
-        <a href="#" data-tooltip="<%= gettext('Clear Grading Due Date') %>" class="clear-date action-button action-clear">
+        <a href="#" data-tooltip="<%- gettext('Clear Grading Due Date') %>" class="clear-date action-button action-clear">
             <span class="icon fa fa-undo" aria-hidden="true"></span>
-            <span class="sr"><%= gettext('Clear Grading Due Date') %></span>
+            <span class="sr"><%- gettext('Clear Grading Due Date') %></span>
         </a>
     </li>
 </ul>

common/lib/capa/capa/templates/imageinput.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <div class="imageinput capa_inputtype" id="inputtype_${id}">
   <input
     type="hidden"
@@ -37,7 +38,7 @@
   </div>
 
   <script type="text/javascript" charset="utf-8">
-    (new ImageInput('${id}'));
+    (new ImageInput('${id | n, decode.utf8}'));
   </script>
 
   <%include file="status_span.html" args="status=status, status_id=id"/>

common/lib/symmath/symmath/formula.py

@@ -32,6 +32,8 @@
 from sympy.printing.latex import LatexPrinter
 from sympy.printing.str import StrPrinter
 
+from openedx.core.djangolib.markup import HTML
+
 log = logging.getLogger(__name__)
 
 log.warning("Dark code. Needs review before enabling in prod.")
@@ -90,8 +92,8 @@ def to_latex(expr):
 
     #return '<math>%s{}{}</math>' % (xs[1:-1])
     if expr_s[0] == '$':
-        return '[mathjax]%s[/mathjax]<br>' % (expr_s[1:-1])	 # for sympy v6  # xss-lint: disable=python-interpolate-html
-    return '[mathjax]%s[/mathjax]<br>' % (expr_s)		# for sympy v7  # xss-lint: disable=python-interpolate-html
+        return HTML('[mathjax]{expression}[/mathjax]<br>').format(expression=expr_s[1:-1])	 # for sympy v6
+    return HTML('[mathjax]{expression}[/mathjax]<br>').format(expression=expr_s)		# for sympy v7
 
 
 def my_evalf(expr, chop=False):

common/lib/symmath/symmath/symmath_check.py

@@ -12,6 +12,10 @@
 import logging
 import traceback
 
+from markupsafe import escape
+
+from openedx.core.djangolib.markup import HTML
+
 from .formula import *
 
 log = logging.getLogger(__name__)
@@ -49,8 +53,9 @@ def symmath_check_simple(expect, ans, adict={}, symtab=None, extra_options=None)
                     )
     except Exception as err:
         return {'ok': False,
-                'msg': 'Error %s<br/>Failed in evaluating check(%s,%s)' % (err, expect, ans)
-                }
+                'msg': HTML('Error {err}<br/>Failed in evaluating check({expect},{ans})').format(
+                    err=err, expect=expect, ans=ans
+                )}
     return ret
 
 #-----------------------------------------------------------------------------
@@ -94,22 +99,28 @@ def check(expect, given, numerical=False, matrix=False, normphase=False, abcsym=
     try:
         xgiven = my_sympify(given, normphase, matrix, do_qubit=do_qubit, abcsym=abcsym, symtab=symtab)
     except Exception as err:
-        return {'ok': False, 'msg': 'Error %s<br/> in evaluating your expression "%s"' % (err, given)}
+        return {'ok': False, 'msg': HTML('Error {err}<br/> in evaluating your expression "{given}"').format(
+            err=err, given=given
+        )}
 
     try:
         xexpect = my_sympify(expect, normphase, matrix, do_qubit=do_qubit, abcsym=abcsym, symtab=symtab)
     except Exception as err:
-        return {'ok': False, 'msg': 'Error %s<br/> in evaluating OUR expression "%s"' % (err, expect)}
+        return {'ok': False, 'msg': HTML('Error {err}<br/> in evaluating OUR expression "{expect}"').format(
+            err=err, expect=expect
+        )}
 
     if 'autonorm' in flags:	 # normalize trace of matrices
         try:
             xgiven /= xgiven.trace()
         except Exception as err:
-            return {'ok': False, 'msg': 'Error %s<br/> in normalizing trace of your expression %s' % (err, to_latex(xgiven))}
+            return {'ok': False, 'msg': HTML('Error {err}<br/> in normalizing trace of your expression {xgiven}').
+                    format(err=err, xgiven=to_latex(xgiven))}
         try:
             xexpect /= xexpect.trace()
         except Exception as err:
-            return {'ok': False, 'msg': 'Error %s<br/> in normalizing trace of OUR expression %s' % (err, to_latex(xexpect))}
+            return {'ok': False, 'msg': HTML('Error {err}<br/> in normalizing trace of OUR expression {xexpect}').
+                    format(err=err, xexpect=to_latex(xexpect))}
 
     msg = 'Your expression was evaluated as ' + to_latex(xgiven)
     # msg += '<br/>Expected ' + to_latex(xexpect)
@@ -145,7 +156,7 @@ def check(expect, given, numerical=False, matrix=False, normphase=False, abcsym=
 
 def make_error_message(msg):
     # msg = msg.replace('<p>','<p><span class="inline-error">').replace('</p>','</span></p>')
-    msg = '<div class="capa_alert">%s</div>' % msg
+    msg = HTML('<div class="capa_alert">{msg}</div>').format(msg=msg)
     return msg
 
 
@@ -210,7 +221,7 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
     try:
         fexpect = my_sympify(str(expect), matrix=do_matrix, do_qubit=do_qubit)
     except Exception as err:
-        msg += '<p>Error %s in parsing OUR expected answer "%s"</p>' % (err, expect)
+        msg += HTML('<p>Error {err} in parsing OUR expected answer "{expect}"</p>').format(err=err, expect=expect)
         return {'ok': False, 'msg': make_error_message(msg)}
 
     ###### Sympy input #######
@@ -226,18 +237,19 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
         if is_within_tolerance(fexpect, fans, threshold):
             return {'ok': True, 'msg': msg}
         else:
-            msg += '<p>You entered: %s</p>' % to_latex(fans)
+            msg += HTML('<p>You entered: {fans}</p>').format(fans=to_latex(fans))
             return {'ok': False, 'msg': msg}
 
     if do_numerical:		# numerical answer expected - force numerical comparison
         if is_within_tolerance(fexpect, fans, threshold):
             return {'ok': True, 'msg': msg}
         else:
-            msg += '<p>You entered: %s (note that a numerical answer is expected)</p>' % to_latex(fans)
+            msg += HTML('<p>You entered: {fans} (note that a numerical answer is expected)</p>').\
+                format(fans=to_latex(fans))
             return {'ok': False, 'msg': msg}
 
     if fexpect == fans:
-        msg += '<p>You entered: %s</p>' % to_latex(fans)
+        msg += HTML('<p>You entered: {fans}</p>').format(fans=to_latex(fans))
         return {'ok': True, 'msg': msg}
 
     ###### PMathML input ######
@@ -255,20 +267,18 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
     # if DEBUG: msg += '<p/> mmlans=%s' % repr(mmlans).replace('<','&lt;')
     try:
         fsym = f.sympy
-        msg += '<p>You entered: %s</p>' % to_latex(f.sympy)
+        msg += HTML('<p>You entered: {sympy}</p>').format(sympy=to_latex(f.sympy))
     except Exception as err:
         log.exception("Error evaluating expression '%s' as a valid equation", ans)
-        msg += "<p>Error in evaluating your expression '%s' as a valid equation</p>" % (ans)
+        msg += HTML("<p>Error in evaluating your expression '{ans}' as a valid equation</p>").format(ans=ans)
         if "Illegal math" in str(err):
-            msg += "<p>Illegal math expression</p>"
+            msg += HTML("<p>Illegal math expression</p>")
         if DEBUG:
-            msg += 'Error: %s' % str(err).replace('<', '&lt;')
-            msg += '<hr>'
-            msg += '<p><font color="blue">DEBUG messages:</p>'
-            msg += "<p><pre>%s</pre></p>" % traceback.format_exc()
-            msg += '<p>cmathml=<pre>%s</pre></p>' % f.cmathml.replace('<', '&lt;')
-            msg += '<p>pmathml=<pre>%s</pre></p>' % mmlans.replace('<', '&lt;')
-            msg += '<hr>'
+            msg += HTML('Error: {err}<hr><p><font color="blue">DEBUG messages:</p><p><pre>{format_exc}</pre></p>'
+                        '<p>cmathml=<pre>{cmathml}</pre></p><p>pmathml=<pre>{pmathml}</pre></p><hr>').format(
+                err=escape(str(err)), format_exc=traceback.format_exc(), cmathml=escape(f.cmathml),
+                pmathml=escape(mmlans)
+            )
         return {'ok': False, 'msg': make_error_message(msg)}
 
     # do numerical comparison with expected
@@ -277,9 +287,9 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
             if abs(abs(fsym - fexpect) / fexpect) < threshold:
                 return {'ok': True, 'msg': msg}
             return {'ok': False, 'msg': msg}
-        msg += "<p>Expecting a numerical answer!</p>"
-        msg += "<p>given = %s</p>" % repr(ans)
-        msg += "<p>fsym = %s</p>" % repr(fsym)
+        msg += HTML("<p>Expecting a numerical answer!</p><p>given = {ans}</p><p>fsym = {fsym}</p>").format(
+            ans=repr(ans), fsym=repr(fsym)
+        )
         # msg += "<p>cmathml = <pre>%s</pre></p>" % str(f.cmathml).replace('<','&lt;')
         return {'ok': False, 'msg': make_error_message(msg)}
 
@@ -297,12 +307,12 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
             if abs(dm.vec().norm().evalf()) < threshold:
                 return {'ok': True, 'msg': msg}
         except sympy.ShapeError:
-            msg += "<p>Error - your input vector or matrix has the wrong dimensions"
+            msg += HTML("<p>Error - your input vector or matrix has the wrong dimensions")
             return {'ok': False, 'msg': make_error_message(msg)}
         except Exception as err:
-            msg += "<p>Error %s in comparing expected (a list) and your answer</p>" % str(err).replace('<', '&lt;')
+            msg += HTML("<p>Error %s in comparing expected (a list) and your answer</p>").format(escape(str(err)))
             if DEBUG:
-                msg += "<p/><pre>%s</pre>" % traceback.format_exc()
+                msg += HTML("<p/><pre>{format_exc}</pre>").format(format_exc=traceback.format_exc())
             return {'ok': False, 'msg': make_error_message(msg)}
 
     #diff = (fexpect-fsym).simplify()
@@ -314,15 +324,13 @@ def symmath_check(expect, ans, dynamath=None, options=None, debug=None, xml=None
         diff = None
 
     if DEBUG:
-        msg += '<hr>'
-        msg += '<p><font color="blue">DEBUG messages:</p>'
-        msg += "<p>Got: %s</p>" % repr(fsym)
+        msg += HTML('<hr><p><font color="blue">DEBUG messages:</p><p>Got: {fsym}</p><p>Expecting: {fexpect}</p>')\
+            .format(fsym=repr(fsym), fexpect=repr(fexpect).replace('**', '^').replace('hat(I)', 'hat(i)'))
         # msg += "<p/>Got: %s" % str([type(x) for x in fsym.atoms()]).replace('<','&lt;')
-        msg += "<p>Expecting: %s</p>" % repr(fexpect).replace('**', '^').replace('hat(I)', 'hat(i)')
         # msg += "<p/>Expecting: %s" % str([type(x) for x in fexpect.atoms()]).replace('<','&lt;')
         if diff:
-            msg += "<p>Difference: %s</p>" % to_latex(diff)
-        msg += '<hr>'
+            msg += HTML("<p>Difference: {diff}</p>").format(diff=to_latex(diff))
+        msg += HTML('<hr>')
 
     # Used to return more keys: 'ex': fexpect, 'got': fsym
     return {'ok': False, 'msg': msg}

common/static/js/capa/drag_and_drop/base_image.js

@@ -1,21 +1,14 @@
 (function(requirejs, require, define) {
-    define([], function() {
+    define(['edx-ui-toolkit/js/utils/html-utils'], function(HtmlUtils) {
         return BaseImage;
 
         function BaseImage(state) {
             var $baseImageElContainer;
 
-            $baseImageElContainer = $(
-            '<div ' +
-                'class="base_image_container" ' +
-                'style=" ' +
-                    'position: relative; ' +
-                    'margin-bottom: 25px; ' +
-                    'margin-left: auto; ' +
-                    'margin-right: auto; ' +
-                '" ' +
-            '></div>'
-        );
+            $baseImageElContainer = $(HtmlUtils.joinHtml(
+                HtmlUtils.HTML('<div class="base_image_container" style=" position: relative; margin-bottom: 25px; '),
+                HtmlUtils.HTML('margin-left: auto; margin-right: auto; " ></div>')
+            ).toString());
 
             state.baseImageEl = $('<img />', {
                 alt: gettext('Drop target image')
@@ -38,12 +31,13 @@
                 state.baseImageLoaded = true;
             });
             state.baseImageEl.error(function() {
+                var errorMsg = HtmlUtils.joinHtml(
+                    HtmlUtils.HTML('<span style="color: red;">'),
+                        HtmlUtils.HTML('ERROR: Image "'), state.config.baseImage, HtmlUtils.HTML('" was not found!'),
+                    HtmlUtils.HTML('</span>')
+                );
                 console.log('ERROR: Image "' + state.config.baseImage + '" was not found!');
-                $baseImageElContainer.html(
-                '<span style="color: red;">' +
-                    'ERROR: Image "' + state.config.baseImage + '" was not found!' +
-                '</span>'
-            );
+                HtmlUtils.setHtml($baseImageElContainer, errorMsg);
                 $baseImageElContainer.appendTo(state.containerEl);
             });
         }

common/test/test_sites/test_site/templates/static_templates/contact.html

@@ -4,6 +4,8 @@
 <%!
 from django.utils.translation import ugettext as _
 from django.urls import reverse
+
+from openedx.core.djangolib.markup import HTML, Text
 %>
 
 <%block name="title"><title>${_("Contact {platform_name}").format(platform_name=settings.PLATFORM_NAME)}</title></%block>
@@ -25,39 +27,40 @@ <h2>${_("Class Feedback")}</h2>
       <p>${_("We are always seeking feedback to improve our courses. If you are an enrolled student and have any questions, feedback, suggestions, or any other issues specific to a particular class, please post on the discussion forums of that class.")}</p>
 
       <h2>${_("General Inquiries and Feedback")}</h2>
-      <p>${_('If you have a general question about {platform_name} please email {email}. To see if your question has already been answered, visit our {faq_link_start}FAQ page{faq_link_end}. You can also join the discussion on our {fb_link_start}facebook page{fb_link_end}. Though we may not have a chance to respond to every email, we take all feedback into consideration.').format(
+      <p>${Text(_('If you have a general question about {platform_name} please email {email}. To see if your question has already been answered, visit our {faq_link_start}FAQ page{faq_link_end}. You can also join the discussion on our {fb_link_start}facebook page{fb_link_end}. Though we may not have a chance to respond to every email, we take all feedback into consideration.')).format(
           platform_name=settings.PLATFORM_NAME,
-          email='<a href="mailto:{contact_email}">{contact_email}</a>'.format(contact_email=settings.CONTACT_EMAIL),
-          faq_link_start='<a href="{url}">'.format(url=reverse('faq_edx')),
-          faq_link_end='</a>',
-          fb_link_start='<a href="http://www.facebook.com/EdxOnline">',
-          fb_link_end='</a>'
+          email=HTML('<a href="mailto:{contact_email}">{contact_email}</a>').format(contact_email=settings.CONTACT_EMAIL),
+          faq_link_start=HTML('<a href="{url}">').format(url=reverse('faq_edx')),
+          faq_link_end=HTML('</a>'),
+          fb_link_start=HTML('<a href="http://www.facebook.com/EdxOnline">'),
+          fb_link_end=HTML('</a>')
         )}</p>
 
       <h2>${_("Technical Inquiries and Feedback")}</h2>
-      <p>${_('If you have suggestions/feedback about the overall {platform_name} platform, or are facing general technical issues with the platform (e.g., issues with email addresses and passwords), you can reach us at {tech_email}. For technical questions, please make sure you are using a current version of Firefox or Chrome, and include browser and version in your e-mail, as well as screenshots or other pertinent details. If you find a bug or other issues, you can reach us at the following: {bug_email}.').format(
+      <p>${Text(_('If you have suggestions/feedback about the overall {platform_name} platform, or are facing general technical issues with the platform (e.g., issues with email addresses and passwords), you can reach us at {tech_email}. For technical questions, please make sure you are using a current version of Firefox or Chrome, and include browser and version in your e-mail, as well as screenshots or other pertinent details. If you find a bug or other issues, you can reach us at the following: {bug_email}.')).format(
         platform_name=settings.PLATFORM_NAME,
-        tech_email='<a href="mailto:{tech_support_email}">{tech_support_email}</a>'.format(tech_support_email=settings.TECH_SUPPORT_EMAIL),
-        bug_email='<a href="mailto:{bugs_email}">{bugs_email}</a>'.format(bugs_email=settings.BUGS_EMAIL)
+        tech_email=HTML('<a href="mailto:{tech_support_email}">{tech_support_email}</a>').format(tech_support_email=settings.TECH_SUPPORT_EMAIL),
+        bug_email=HTML('<a href="mailto:{bugs_email}">{bugs_email}</a>').format(bugs_email=settings.BUGS_EMAIL)
       )}</p>
 
       <h2>${_("Media")}</h2>
-      <p>${_('Please visit our {link_start}media/press page{link_end} for more information. For any media or press inquiries, please email {email}.').format(
-        link_start='<a href="{url}">'.format(url=reverse('faq_edx')),
-        link_end='</a>',
-        email='<a href="mailto:{email}">{email}</a>'.format(email="press@edx.org"),
+      <p>${Text(_('Please visit our {link_start}media/press page{link_end} for more information. For any media or press inquiries, please email {email}.')).format(
+        link_start=HTML('<a href="{url}">').format(url=reverse('faq_edx')),
+        link_end=HTML('</a>'),
+        email=HTML('<a href="mailto:{email}">{email}</a>').format(email="press@edx.org"),
         )}</p>
 
       <h2>${_("Universities")}</h2>
-      <p>${_('If you are a university wishing to collaborate or you have questions about {platform_name}, please email {email}.'.format(
+      <p>${Text(_('If you are a university wishing to collaborate or you have questions about {platform_name}, please email {email}.')).format(
           platform_name="edX",
-          email='<a href="mailto:{email}">{email}</a>'.format(
+          email=HTML('<a href="mailto:{email}">{email}</a>').format(
             email="university@edx.org"
           )
-        ))}</p>
+        )}</p>
 
       <h2>${_("Accessibility")}</h2>
-      <p>${_('{platform_name} strives to create an innovative online-learning platform that promotes accessibility for everyone, including students with disabilities. We are dedicated to improving the accessibility of the platform and welcome your comments or questions at {email}.'.format(platform_name="EdX", email='<a href="mailto:{email}">{email}</a>'.format(email="accessibility@edx.org")))}</p>
+      <p>${Text(_('{platform_name} strives to create an innovative online-learning platform that promotes accessibility for everyone, including students with disabilities. We are dedicated to improving the accessibility of the platform and welcome your comments or questions at {email}.')).format(
+          platform_name="EdX", email=HTML('<a href="mailto:{email}">{email}</a>').format(email="accessibility@edx.org"))}</p>
     </div>
   </section>
 </section>