From 24800be01a799c7d02ffacb32df57018ecf29e9f Mon Sep 17 00:00:00 2001 From: hinakhadim Date: Sun, 10 Dec 2023 19:13:28 +0500 Subject: [PATCH] fix: xss issue; replace script tags with div tags --- cms/djangoapps/contentstore/course_info_model.py | 5 +++-- cms/djangoapps/contentstore/utils.py | 6 ++++++ cms/djangoapps/contentstore/views/block.py | 3 ++- cms/djangoapps/contentstore/views/course.py | 9 ++++++++- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/cms/djangoapps/contentstore/course_info_model.py b/cms/djangoapps/contentstore/course_info_model.py index 3a9d5d92de42..38b2a41fba90 100644 --- a/cms/djangoapps/contentstore/course_info_model.py +++ b/cms/djangoapps/contentstore/course_info_model.py @@ -19,6 +19,7 @@ from django.http import HttpResponseBadRequest from django.utils.translation import gettext as _ +from cms.djangoapps.contentstore.utils import replace_script_tags from openedx.core.lib.xblock_utils import get_course_update_items from xmodule.html_block import CourseInfoBlock # lint-amnesty, pylint: disable=wrong-import-order from xmodule.modulestore.django import modulestore # lint-amnesty, pylint: disable=wrong-import-order @@ -67,7 +68,7 @@ def update_course_updates(location, update, passed_id=None, user=None): if course_update_item["id"] == passed_index: course_update_dict = course_update_item course_update_item["date"] = update["date"] - course_update_item["content"] = update["content"] + course_update_item["content"] = replace_script_tags(update["content"]) break if course_update_dict is None: return HttpResponseBadRequest(_("Invalid course update id.")) @@ -78,7 +79,7 @@ def update_course_updates(location, update, passed_id=None, user=None): # if no course updates then the id will be 1 otherwise maxid + 1 "id": max(course_update_items_ids) + 1 if course_update_items_ids else 1, "date": update["date"], - "content": update["content"], + "content": replace_script_tags(update["content"]), "status": CourseInfoBlock.STATUS_VISIBLE } course_update_items.append(course_update_dict) diff --git a/cms/djangoapps/contentstore/utils.py b/cms/djangoapps/contentstore/utils.py index 7791bb681238..5ec5d6c91798 100644 --- a/cms/djangoapps/contentstore/utils.py +++ b/cms/djangoapps/contentstore/utils.py @@ -731,3 +731,9 @@ def translation_language(language): translation.activate(previous) else: yield + + +def replace_script_tags(string): + string = string.replace('', '') + return string \ No newline at end of file diff --git a/cms/djangoapps/contentstore/views/block.py b/cms/djangoapps/contentstore/views/block.py index c65aaace82d8..226cb34404ac 100644 --- a/cms/djangoapps/contentstore/views/block.py +++ b/cms/djangoapps/contentstore/views/block.py @@ -33,6 +33,7 @@ from xblock.fields import Scope from cms.djangoapps.contentstore.config.waffle import SHOW_REVIEW_RULES_FLAG +from cms.djangoapps.contentstore.utils import replace_script_tags from cms.djangoapps.models.settings.course_grading import CourseGradingModel from cms.lib.xblock.authoring_mixin import VISIBILITY_VIEW from common.djangoapps.edxmako.services import MakoService @@ -204,7 +205,7 @@ def xblock_handler(request, usage_key_string=None): return _save_xblock( request.user, _get_xblock(usage_key, request.user), - data=request.json.get('data'), + data=replace_script_tags(request.json.get('data')), children_strings=request.json.get('children'), metadata=request.json.get('metadata'), nullout=request.json.get('nullout'), diff --git a/cms/djangoapps/contentstore/views/course.py b/cms/djangoapps/contentstore/views/course.py index b92e8c3d25f3..5be81dac3331 100644 --- a/cms/djangoapps/contentstore/views/course.py +++ b/cms/djangoapps/contentstore/views/course.py @@ -34,6 +34,7 @@ from organizations.exceptions import InvalidOrganizationException from rest_framework.exceptions import ValidationError +from cms.djangoapps.contentstore.utils import replace_script_tags from cms.djangoapps.course_creators.views import add_user_with_status_unrequested, get_course_creator_status from cms.djangoapps.course_creators.models import CourseCreator from cms.djangoapps.models.settings.course_grading import CourseGradingModel @@ -1876,8 +1877,14 @@ def group_configurations_detail_handler(request, course_key_string, group_config configuration = None if request.method in ('POST', 'PUT'): # can be either and sometimes django is rewriting one to the other + request_data = json.loads(request.body.decode('utf-8')) + for group in request_data.get('groups', []): + group['name'] = replace_script_tags(group['name']) + + request_data = json.dumps(request_data).encode('utf-8') + try: - new_configuration = GroupConfiguration(request.body, course, group_configuration_id).get_user_partition() # lint-amnesty, pylint: disable=line-too-long + new_configuration = GroupConfiguration(request_data, course, group_configuration_id).get_user_partition() # lint-amnesty, pylint: disable=line-too-long except GroupConfigurationsValidationError as err: return JsonResponse({"error": str(err)}, status=400)