Skip to content

Commit

Permalink
fix: fix XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
@qwqtw
qwqtw committed Dec 5, 2023
1 parent fa761d3 commit 48d9f00
Showing 1 changed file with 49 additions and 42 deletions.
91 changes: 49 additions & 42 deletions lms/templates/courseware/courses.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@
% if course_discovery_enabled:
<%block name="header_extras">
% for template_name in ["course_card", "filter_bar", "filter", "facet", "facet_option"]:
<script type="text/template" id="${template_name}-tpl">
<%static:include path="discovery/${template_name}.underscore" />
<script type="text/template" id="${template_name | h}-tpl">
<%static:include path="discovery/${template_name | h}.underscore" />
</script>
% endfor
<%static:require_module module_name="js/discovery/discovery_factory" class_name="DiscoveryFactory">
Expand Down Expand Up @@ -324,49 +324,56 @@ <h2 class="header-search-facets">${_('Refine Your Search')}</h2>
</aside>
% endif

<script>
document.addEventListener('DOMContentLoaded', function () {
var searchForm = document.getElementById('discovery-form');

function updateSearchResultsCount(currentMessage, searchTerm) {
var message;

if (searchTerm === '') {
// If no search term is entered, use the current discovery message
message = currentMessage;
} else {
// If a search term is entered, format the message
var numberOfCourses = currentMessage.includes("any") ? 0 : parseInt(currentMessage.match(/\d+/)[0]);
var courseWord = numberOfCourses === 1 ? "course" : "courses"; // Singular or plural
message = "<b>" + numberOfCourses + "</b> " + courseWord + " find for \"" + searchTerm + "\"";
<script>
document.addEventListener('DOMContentLoaded', function () {
var searchForm = document.getElementById('discovery-form');

function updateSearchResultsCount(currentMessage, searchTerm) {
var message;

if (searchTerm === '') {
message = currentMessage;
} else {
var numberOfCourses = currentMessage.includes("any") ? 0 : parseInt(currentMessage.match(/\d+/)[0]);
var courseWord = numberOfCourses === 1 ? "course" : "courses";
message = "<b>" + numberOfCourses + "</b> " + courseWord + " found for \"" + escapeHtml(searchTerm) + "\"";
}

var resultsContainer = document.getElementById('search-results-container');
var existingElement = resultsContainer.querySelector('.search-results-count');

if (existingElement) {
existingElement.textContent = message;
} else {
var newElement = document.createElement('div');
newElement.className = 'search-results-count';
newElement.textContent = message;
resultsContainer.appendChild(newElement);
}
}

var resultsContainer = document.getElementById('search-results-container');
var existingElement = resultsContainer.querySelector('.search-results-count');

if (existingElement) {
existingElement.innerHTML = message; // Use innerHTML to interpret HTML tags
} else {
var newElement = document.createElement('div');
newElement.className = 'search-results-count';
newElement.innerHTML = message; // Use innerHTML to interpret HTML tags
resultsContainer.appendChild(newElement);

searchForm.addEventListener('submit', function (event) {
event.preventDefault();

var searchTerm = document.getElementById('discovery-input').value.trim();

setTimeout(function() {
var currentMessage = document.getElementById('discovery-message').textContent;
updateSearchResultsCount(currentMessage, searchTerm);
}, 500);
});

function escapeHtml(text) {
return text
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
}
}

searchForm.addEventListener('submit', function (event) {
event.preventDefault();

var searchTerm = document.getElementById('discovery-input').value.trim();

setTimeout(function() {
var currentMessage = document.getElementById('discovery-message').textContent;
updateSearchResultsCount(currentMessage, searchTerm);
}, 500);
});
});
</script>

</script>

</section>
</section>
</main>

0 comments on commit 48d9f00

Please sign in to comment.