Page tree
Skip to end of metadata
Go to start of metadata

This was formerly known as "safe templates". The documentation is being updated to reflect the new name.

Table of Contents


The following Preventing XSS documentation is mainly dedicated to the issue of Cross Site Scripting XSS, which is just one of the oWASP Top 10 Security Vulnerabilities.

Read this documentation on Preventing Cross Site Scripting (XSS) Vulnerabilities specifically geared towards edx-platform in Read the Docs.

Here is a graph of XSS Linter Violations for edx-platform over time.

XSS Testing

XSS Linting is performed as part of the jenkins/quality tests on Jenkins.

If you click the "Details" link next to the jenkins/quality check in GitHub, it will bring you to Jenkins.  Inside the quality build in Jenkins, you can get the following information:

  • Summary Details
    • The "Quality Report" link on the left hand navigation contains the following:
      • The "xsscommitlint" tab provides the number of violations in any file you added/modified in your commit, including previously existing violations.
      • The "xsslint" tab provides the number of violations (per violation type) across the entire platform.
  • Failure Details
    • The "Console Output" link on the left hand navigation will provide details of the failure.
      • In the event of an XSS linter failure, the console output will state specifically which violation type went over the threshold and by how much.
    • XSS failures mean that your commit bumped the number of violations over the current threshold.  This is most likely due to introducing a line of a code with a violation.  It is sometimes, but rarely, due to a revert of someone else's commit which had previously reduced the number of violations.

  • Detailed Reports
    • XSS Commit Lint Report
      • This report provides details of of violations in any file you added/modified in your commit, including previously existing violations.
      • To see this report, you can append the following url to the end of your Jenkins job url:

      • Although this is for reporting purposes only, if you have a failure due to a threshold, you can use this report to drop below the threshold.
    • XSS Lint Report
      • This is a platform level report, and is not generally useful. 

To run these tests outside of Jenkins, see this XSS quality tests documentation in Read the Docs.

XSS Violations and Code Reviews

In certain cases, the quality check will fail in Jenkins when a violation is introduced that brings the number of violations of a particular type over its current threshold.

Jenkins will not fail if the XSS Commit Lint Report (see above) contains violations.  During a code review, if there are violations, here are the steps to be taken:

  1. Bring awareness to the violations and to this process.
  2. Reviewer and reviewee should discuss and choose one of the following approaches:

    Try to always use separate commits for safe template work to keep your options open during the PR process. You may consider keeping them separate even when squashing in case they introduce a separate issue.

    1. Fix all violations as part of this PR.
    2. Fix violations that are simple for fix and/or simple to test along with the current PR.
    3. Create a PR for follow-up work where appropriate.
    4. Determine that the violations are too far removed and leave this important work to some other developer. (smile)

These violations are technical debt that we all share as maintainers of the platform, and any help to reduce this debt is greatly appreciated.