Open edX Developer's Guide
  • 1. General Information
    • 1.1. Read Me
    • 1.2. Other edX Resources
      • 1.2.1. Resources for edx.org Learners
      • 1.2.2. The edX Partner Portal
      • 1.2.3. The Open edX Portal
      • 1.2.4. System Status
      • 1.2.5. Resources for edx.org Course Teams
      • 1.2.6. Resources for Researchers
      • 1.2.7. Resources for Developers
      • 1.2.8. Resources for Open edX
    • 1.3. edX Browser Support
  • 2. Open edX Architecture
    • 2.1. Overview
    • 2.2. Key Components
      • 2.2.1. Learning Management System (LMS)
      • 2.2.2. Studio
      • 2.2.3. Discussions
      • 2.2.4. Mobile Apps
      • 2.2.5. Analytics
      • 2.2.6. Background Work
      • 2.2.7. Search
      • 2.2.8. Other Components
  • 3. Contributing to Open edX
    • 3.1. Process for Contributing Code
      • 3.1.1. Overview
      • 3.1.2. General Guidelines
      • 3.1.3. Roles
    • 3.2. Contributor
      • 3.2.1. Once A PR is Open
      • 3.2.2. Further Information
    • 3.3. Pull Request Cover Letter
      • 3.3.1. Example Of A Good PR Cover Letter
    • 3.4. Community Manager
    • 3.5. Product Owner
    • 3.6. Core Committer
      • 3.6.1. Review Comments Terminology
    • 3.7. Code Considerations
      • 3.7.1. Operational Impact
      • 3.7.2. Documentation/Training/Support
      • 3.7.3. Development
      • 3.7.4. Testing
      • 3.7.5. Analytics
      • 3.7.6. Collaboration
      • 3.7.7. Open Source
      • 3.7.8. UX/Design/Front End Development
      • 3.7.9. Contributing to the Documentation for Your Open Source Feature
  • 4. Extending the edX Platform
    • 4.1. Options for Extending the edX Platform
    • 4.2. Integrating XBlocks with edx-platform
      • 4.2.1. LMS
      • 4.2.2. Studio
      • 4.2.3. Deploying Your XBlock
      • 4.2.4. Rendering XBlocks with the XBlock URL
    • 4.3. Custom JavaScript Applications
      • 4.3.1. Overview
      • 4.3.2. Grading Options for Custom JavaScript Applications
      • 4.3.3. Use a JavaScript Application Without Grading
      • 4.3.4. Use a JavaScript Application for a Summative Assessment
      • 4.3.5. Grade the Student Response with Python
      • 4.3.6. XML for Custom JavaScript Applications
    • 4.4. The Custom JavaScript Display and Grading Example Template
      • 4.4.1. Example getState() Function
      • 4.4.2. Example setState() Function
      • 4.4.3. Example getGrade() function
      • 4.4.4. Grade the Student Response
      • 4.4.5. XML Problem Structure
  • 5. Testing
    • 5.1. Jenkins
      • 5.1.1. Kicking Off Builds
      • 5.1.2. Failed Builds
      • 5.1.3. Successful Builds
    • 5.2. Code Coverage
    • 5.3. Code Quality
      • 5.3.1. Clean Code
      • 5.3.2. Safe Code
    • 5.4. Testing Open edX Features
      • 5.4.1. Tests for the Open edX Platform
  • 6. Analytics
    • 6.1. Event Tracking
      • 6.1.1. Emitting Events
      • 6.1.2. Documenting Events
      • 6.1.3. Request Context Middleware
      • 6.1.4. Legacy Application Event Processor
    • 6.2. Other Tracking Systems
      • 6.2.1. Segment
      • 6.2.2. Google Analytics
      • 6.2.3. Deprecated APIs
  • 7. Deploy a New Service
    • 7.1. Intro
    • 7.2. Considerations
      • 7.2.1. What Does Your Service Do
      • 7.2.2. Sizing and Resource Profile
      • 7.2.3. Customers
      • 7.2.4. Code
      • 7.2.5. Settings
      • 7.2.6. License
      • 7.2.7. How does your service run
      • 7.2.8. Persistence
      • 7.2.9. Logging
      • 7.2.10. Metrics
      • 7.2.11. Messaging
      • 7.2.12. Email
      • 7.2.13. Access to Other Service
      • 7.2.14. Service Monitoring
      • 7.2.15. Fault Tolerance and Scalability
      • 7.2.16. Network Access
      • 7.2.17. Data Security
      • 7.2.18. Testing
      • 7.2.19. Additional Requirements
  • 8. Writing Good Code
    • 8.1. edX Accessibility Guidelines
      • 8.1.1. Introduction
      • 8.1.2. Accessibility Best Practices
      • 8.1.3. Use semantic markup
      • 8.1.4. Make images accessible
      • 8.1.5. Avoid using CSS to add content
      • 8.1.6. Include a descriptive title attribute for all <iframe> elements
      • 8.1.7. Include link and control labels that make sense out of context
      • 8.1.8. Make sure form elements have labels
      • 8.1.9. Use WAI-ARIA to create accessible widgets or enhance native elements
      • 8.1.10. Manage the focus for pop-ups
      • 8.1.11. Inform users when content changes dynamically
      • 8.1.12. Hide or expose content to targeted audiences
      • 8.1.13. Choose colors that meet WCAG 2.1’s minimum contrast ratios
      • 8.1.14. Test your code for accessibility
    • 8.2. Django Good Practices
      • 8.2.1. Imports
  • 9. Writing Code for Internationalization
    • 9.1. Internationalization Coding Guidelines
      • 9.1.1. General Internationalization Rules
      • 9.1.2. Editing Source Files
      • 9.1.3. Coverage Testing
      • 9.1.4. Style Guidelines
      • 9.1.5. Additional Resources
    • 9.2. Guidelines for Translating the Open edX Platform
  • 10. Preventing Cross Site Scripting Vulnerabilities
    • 10.1. Preventing Cross Site Scripting Vulnerabilities
      • 10.1.1. Philosophy and General Rules
      • 10.1.2. Types of Context and Escaping
      • 10.1.3. Editing Template Files
      • 10.1.4. Making Legacy Mako Templates Safe by Default
      • 10.1.5. XSS Linter
      • 10.1.6. Advanced Topics
      • 10.1.7. Additional Resources
    • 10.2. Preventing XSS by Stripping HTML Tags
      • 10.2.1. Overview
      • 10.2.2. Mako filters for bleaching
      • 10.2.3. Strip all HTML tags
      • 10.2.4. Strip all but safe HTML tags
    • 10.3. Preventing XSS in Django Templates
      • 10.3.1. HTML-escaping Translations in Django Templates
    • 10.4. Preventing XSS in React
      • 10.4.1. i18n and Translations
  • 11. Language Style Guidelines
    • 11.1. EdX JavaScript Style Guide
      • 11.1.1. JavaScript Version
      • 11.1.2. Code Style
      • 11.1.3. Testing
      • 11.1.4. Documentation
    • 11.2. EdX Objective-C Style Guide
      • 11.2.1. Principles
      • 11.2.2. Syntax and Organization
      • 11.2.3. Writing Tests
    • 11.3. EdX Python Style Guide
      • 11.3.1. Principles
      • 11.3.2. Syntax and Organization
      • 11.3.3. Pylint Guidelines and Practices
      • 11.3.4. Docstrings
      • 11.3.5. References
    • 11.4. EdX Sass Style Guide
      • 11.4.1. Code Style
      • 11.4.2. Use Variables
  • 12. Glossary
    • 12.1. A
    • 12.2. C
    • 12.3. D
    • 12.4. E
    • 12.5. F
    • 12.6. G
    • 12.7. H
    • 12.8. I
    • 12.9. K
    • 12.10. L
    • 12.11. M
    • 12.12. N
    • 12.13. O
    • 12.14. P
    • 12.15. Q
    • 12.16. R
    • 12.17. S
    • 12.18. T
    • 12.19. U
    • 12.20. V
    • 12.21. W
    • 12.22. XYZ
 
Open edX Developer's Guide
  • Table of Contents »
  • 10. Preventing Cross Site Scripting Vulnerabilities
  • Get Help orGive Doc Feedback Edit on GitHub

10. Preventing Cross Site Scripting Vulnerabilities¶

  • 10.1. Preventing Cross Site Scripting Vulnerabilities
    • 10.1.1. Philosophy and General Rules
    • 10.1.2. Types of Context and Escaping
    • 10.1.3. Editing Template Files
    • 10.1.4. Making Legacy Mako Templates Safe by Default
    • 10.1.5. XSS Linter
    • 10.1.6. Advanced Topics
    • 10.1.7. Additional Resources
  • 10.2. Preventing XSS by Stripping HTML Tags
    • 10.2.1. Overview
    • 10.2.2. Mako filters for bleaching
    • 10.2.3. Strip all HTML tags
    • 10.2.4. Strip all but safe HTML tags
  • 10.3. Preventing XSS in Django Templates
    • 10.3.1. HTML-escaping Translations in Django Templates
  • 10.4. Preventing XSS in React
    • 10.4.1. i18n and Translations
Next Previous

Copyright © 2023, edX Inc.
Creative Commons License
These works by edX Inc. are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.