Merge pull request #470 from edly-io/fix/xss-issue

Fix: Replace script tags with div tags for xss issue
edly-io · Dec 11, 2023 · e1a2064 · e1a2064
2 parents 1fa66d3 + 24800be
commit e1a2064
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 4 deletions.
diff --git a/cms/djangoapps/contentstore/course_info_model.py b/cms/djangoapps/contentstore/course_info_model.py
@@ -19,6 +19,7 @@
 from django.http import HttpResponseBadRequest
 from django.utils.translation import gettext as _
 
+from cms.djangoapps.contentstore.utils import replace_script_tags
 from openedx.core.lib.xblock_utils import get_course_update_items
 from xmodule.html_block import CourseInfoBlock  # lint-amnesty, pylint: disable=wrong-import-order
 from xmodule.modulestore.django import modulestore  # lint-amnesty, pylint: disable=wrong-import-order
@@ -67,7 +68,7 @@ def update_course_updates(location, update, passed_id=None, user=None):
             if course_update_item["id"] == passed_index:
                 course_update_dict = course_update_item
                 course_update_item["date"] = update["date"]
-                course_update_item["content"] = update["content"]
+                course_update_item["content"] = replace_script_tags(update["content"])
                 break
         if course_update_dict is None:
             return HttpResponseBadRequest(_("Invalid course update id."))
@@ -78,7 +79,7 @@ def update_course_updates(location, update, passed_id=None, user=None):
             # if no course updates then the id will be 1 otherwise maxid + 1
             "id": max(course_update_items_ids) + 1 if course_update_items_ids else 1,
             "date": update["date"],
-            "content": update["content"],
+            "content": replace_script_tags(update["content"]),
             "status": CourseInfoBlock.STATUS_VISIBLE
         }
         course_update_items.append(course_update_dict)

diff --git a/cms/djangoapps/contentstore/utils.py b/cms/djangoapps/contentstore/utils.py
@@ -731,3 +731,9 @@ def translation_language(language):
             translation.activate(previous)
     else:
         yield
+
+
+def replace_script_tags(string):
+    string = string.replace('<script', '<div')
+    string = string.replace('</script>', '</div>')
+    return string
diff --git a/cms/djangoapps/contentstore/views/block.py b/cms/djangoapps/contentstore/views/block.py
@@ -33,6 +33,7 @@
 from xblock.fields import Scope
 
 from cms.djangoapps.contentstore.config.waffle import SHOW_REVIEW_RULES_FLAG
+from cms.djangoapps.contentstore.utils import replace_script_tags
 from cms.djangoapps.models.settings.course_grading import CourseGradingModel
 from cms.lib.xblock.authoring_mixin import VISIBILITY_VIEW
 from common.djangoapps.edxmako.services import MakoService
@@ -204,7 +205,7 @@ def xblock_handler(request, usage_key_string=None):
             return _save_xblock(
                 request.user,
                 _get_xblock(usage_key, request.user),
-                data=request.json.get('data'),
+                data=replace_script_tags(request.json.get('data')),
                 children_strings=request.json.get('children'),
                 metadata=request.json.get('metadata'),
                 nullout=request.json.get('nullout'),

diff --git a/cms/djangoapps/contentstore/views/course.py b/cms/djangoapps/contentstore/views/course.py
@@ -34,6 +34,7 @@
 from organizations.exceptions import InvalidOrganizationException
 from rest_framework.exceptions import ValidationError
 
+from cms.djangoapps.contentstore.utils import replace_script_tags
 from cms.djangoapps.course_creators.views import add_user_with_status_unrequested, get_course_creator_status
 from cms.djangoapps.course_creators.models import CourseCreator
 from cms.djangoapps.models.settings.course_grading import CourseGradingModel
@@ -1876,8 +1877,14 @@ def group_configurations_detail_handler(request, course_key_string, group_config
             configuration = None
 
         if request.method in ('POST', 'PUT'):  # can be either and sometimes django is rewriting one to the other
+            request_data = json.loads(request.body.decode('utf-8'))
+            for group in request_data.get('groups', []):
+                group['name'] = replace_script_tags(group['name'])
+
+            request_data = json.dumps(request_data).encode('utf-8')
+
             try:
-                new_configuration = GroupConfiguration(request.body, course, group_configuration_id).get_user_partition()  # lint-amnesty, pylint: disable=line-too-long
+                new_configuration = GroupConfiguration(request_data, course, group_configuration_id).get_user_partition()  # lint-amnesty, pylint: disable=line-too-long
             except GroupConfigurationsValidationError as err:
                 return JsonResponse({"error": str(err)}, status=400)