npm - @instructure/outcomes-ui - Versions diffs - 4.1.4 → 4.1.5 - Mend

@instructure/outcomes-ui 4.1.4 → 4.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (322) hide show

package/es/translated/zh-Hant/components/Gradebook/popovers/StudentPopover/__tests__/index.test.js CHANGED Viewed

@@ -254,80 +254,156 @@ describe('StudentPopover', function () {
       }, _callee0);
     })));
   });
-  describe('Loading State', function () {
-    it('shows a spinner when isLoading is true', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee1() {
-      var _t6;
+  describe('Security', function () {
+    it('does not render the mastery report link for a javascript: URI', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee1() {
       return _regenerator().w(function (_context1) {
         while (1) switch (_context1.n) {
           case 0:
             renderComponent({
-              isLoading: true
+              studentGradesUrl: 'javascript:alert(document.cookie)'
             });
             fireEvent.click(screen.getByTestId('student-cell-link'));
-            _t6 = expect;
             _context1.n = 1;
-            return screen.findByTitle('Loading user details');
+            return screen.findByText('Message');
           case 1:
-            _t6(_context1.v).toBeInTheDocument();
+            expect(screen.queryByText('View Mastery Report')).not.toBeInTheDocument();
           case 2:
             return _context1.a(2);
         }
       }, _callee1);
     })));
-    it('does not show student details when isLoading is true', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee10() {
+    it('does not render the mastery report link for a data: URI', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee10() {
       return _regenerator().w(function (_context10) {
         while (1) switch (_context10.n) {
           case 0:
             renderComponent({
-              isLoading: true
+              studentGradesUrl: 'data:text/html,<script>alert(1)</script>'
             });
             fireEvent.click(screen.getByTestId('student-cell-link'));
             _context10.n = 1;
-            return screen.findByTitle('Loading user details');
+            return screen.findByText('Message');
           case 1:
-            expect(screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+            expect(screen.queryByText('View Mastery Report')).not.toBeInTheDocument();
           case 2:
             return _context10.a(2);
         }
       }, _callee10);
     })));
-  });
-  describe('Error State', function () {
-    it('shows an error message when error prop is provided', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee11() {
-      var _t7;
+    it('renders the mastery report link for a safe https URL', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee11() {
+      var safeUrl, masteryLink;
       return _regenerator().w(function (_context11) {
         while (1) switch (_context11.n) {
           case 0:
+            safeUrl = 'https://canvas.instructure.com/courses/123/grades/1';
             renderComponent({
-              error: 'Failed to load student details'
+              studentGradesUrl: safeUrl
             });
             fireEvent.click(screen.getByTestId('student-cell-link'));
-            _t7 = expect;
             _context11.n = 1;
-            return screen.findByText('Failed to load student details');
+            return screen.findByText('View Mastery Report');
           case 1:
-            _t7(_context11.v).toBeInTheDocument();
+            masteryLink = _context11.v;
+            expect(masteryLink.closest('a')).toHaveAttribute('href', safeUrl);
           case 2:
             return _context11.a(2);
         }
       }, _callee11);
     })));
-    it('does not show student details when error is present', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee12() {
+    it('renders the mastery report link for a safe http URL', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee12() {
+      var safeUrl, masteryLink;
       return _regenerator().w(function (_context12) {
         while (1) switch (_context12.n) {
           case 0:
+            safeUrl = 'http://canvas.instructure.com/courses/123/grades/1';
             renderComponent({
-              error: 'Something went wrong'
+              studentGradesUrl: safeUrl
             });
             fireEvent.click(screen.getByTestId('student-cell-link'));
             _context12.n = 1;
-            return screen.findByText('Something went wrong');
+            return screen.findByText('View Mastery Report');
           case 1:
-            expect(screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+            masteryLink = _context12.v;
+            expect(masteryLink.closest('a')).toHaveAttribute('href', safeUrl);
           case 2:
             return _context12.a(2);
         }
       }, _callee12);
     })));
   });
+  describe('Loading State', function () {
+    it('shows a spinner when isLoading is true', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee13() {
+      var _t6;
+      return _regenerator().w(function (_context13) {
+        while (1) switch (_context13.n) {
+          case 0:
+            renderComponent({
+              isLoading: true
+            });
+            fireEvent.click(screen.getByTestId('student-cell-link'));
+            _t6 = expect;
+            _context13.n = 1;
+            return screen.findByTitle('Loading user details');
+          case 1:
+            _t6(_context13.v).toBeInTheDocument();
+          case 2:
+            return _context13.a(2);
+        }
+      }, _callee13);
+    })));
+    it('does not show student details when isLoading is true', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee14() {
+      return _regenerator().w(function (_context14) {
+        while (1) switch (_context14.n) {
+          case 0:
+            renderComponent({
+              isLoading: true
+            });
+            fireEvent.click(screen.getByTestId('student-cell-link'));
+            _context14.n = 1;
+            return screen.findByTitle('Loading user details');
+          case 1:
+            expect(screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+          case 2:
+            return _context14.a(2);
+        }
+      }, _callee14);
+    })));
+  });
+  describe('Error State', function () {
+    it('shows an error message when error prop is provided', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee15() {
+      var _t7;
+      return _regenerator().w(function (_context15) {
+        while (1) switch (_context15.n) {
+          case 0:
+            renderComponent({
+              error: 'Failed to load student details'
+            });
+            fireEvent.click(screen.getByTestId('student-cell-link'));
+            _t7 = expect;
+            _context15.n = 1;
+            return screen.findByText('Failed to load student details');
+          case 1:
+            _t7(_context15.v).toBeInTheDocument();
+          case 2:
+            return _context15.a(2);
+        }
+      }, _callee15);
+    })));
+    it('does not show student details when error is present', /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regenerator().m(function _callee16() {
+      return _regenerator().w(function (_context16) {
+        while (1) switch (_context16.n) {
+          case 0:
+            renderComponent({
+              error: 'Something went wrong'
+            });
+            fireEvent.click(screen.getByTestId('student-cell-link'));
+            _context16.n = 1;
+            return screen.findByText('Something went wrong');
+          case 1:
+            expect(screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+          case 2:
+            return _context16.a(2);
+        }
+      }, _callee16);
+    })));
+  });
 });

package/es/translated/zh-Hant/components/Gradebook/popovers/StudentPopover/index.js CHANGED Viewed

@@ -99,6 +99,9 @@ var MasteryScores = function MasteryScores(_ref2) {
     }, bucket.count)));
   }))));
 };
+var isSafeUrl = function isSafeUrl(url) {
+  return /^(https?:\/\/|\/)/i.test(url);
+};
 var Actions = function Actions(_ref3) {
   var studentGradesUrl = _ref3.studentGradesUrl;
   var _useState = useState(false),
@@ -121,7 +124,7 @@ var Actions = function Actions(_ref3) {
     borderWidth: "none small none none",
     width: "0px",
     height: "1.4rem"
-  }), studentGradesUrl && /*#__PURE__*/React.createElement(Flex.Item, null, /*#__PURE__*/React.createElement(Link, {
+  }), studentGradesUrl && isSafeUrl(studentGradesUrl) && /*#__PURE__*/React.createElement(Flex.Item, null, /*#__PURE__*/React.createElement(Link, {
     href: studentGradesUrl,
     variant: "standalone"
   }, /*#__PURE__*/React.createElement(Text, {

package/es/translated/zh-Hant/lib/__tests__/sanitize.test.js CHANGED Viewed

@@ -1,16 +1,138 @@
-import { expect, describe, it } from '@jest/globals';
+import { describe, expect, it } from '@jest/globals';
 import { sanitizeHtml } from "../sanitize.js";
-describe('sanitizeForHtml', function () {
-  it('cleans invalid tags', function () {
-    var invalid = '<monkey>tag isn\'t closed';
-    expect(sanitizeHtml(invalid)).toContain('</monkey>');
+describe('sanitizeHtml', function () {
+  describe('equation images (Canvas-specific)', function () {
+    it('rewrites /equation_images src to absolute canvas URL', function () {
+      var equationImage = 'Some text with an <img src="/equation_images/image" />';
+      expect(sanitizeHtml(equationImage)).toContain('canvas.instructure.com/equation_images/image');
+    });
+    it('adds vertical-align style to equation images', function () {
+      var equationImage = '<img src="/equation_images/abc" />';
+      expect(sanitizeHtml(equationImage)).toContain('vertical-align: middle');
+    });
+    it('leaves non-equation image src untouched', function () {
+      var otherImage = '<img src="/another_image">';
+      var out = sanitizeHtml(otherImage);
+      expect(out).toContain('src="/another_image"');
+      expect(out).not.toContain('canvas.instructure.com');
+    });
   });
-  it('replaces equation images', function () {
-    var equationImage = 'Some text with an <img src="/equation_images/image" />';
-    expect(sanitizeHtml(equationImage)).toContain('canvas.instructure.com/equation_images/image');
+  describe('null / empty input handling', function () {
+    it('returns empty string for null', function () {
+      expect(sanitizeHtml(null)).toBe('');
+    });
+    it('returns empty string for undefined', function () {
+      expect(sanitizeHtml(void 0)).toBe('');
+    });
+    it('returns empty string for empty string', function () {
+      expect(sanitizeHtml('')).toBe('');
+    });
   });
-  it('leaves other images alone', function () {
-    var otherImage = 'Some text with <img src="/another_image" />';
-    expect(sanitizeHtml(otherImage)).toBe(otherImage);
+  describe('XSS - script execution vectors', function () {
+    it('strips <script> tags', function () {
+      var xss = 'Hello<script>alert(1)</script>World';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toContain('<script');
+      expect(out).not.toContain('alert(1)');
+    });
+    it('strips inline event handlers (onerror)', function () {
+      var xss = '<img src="x" onerror="alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toMatch(/onerror/i);
+      expect(out).not.toContain('alert(1)');
+    });
+    it('strips inline event handlers (onclick)', function () {
+      var xss = '<a href="#" onclick="alert(1)">click</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toMatch(/onclick/i);
+    });
+    it('strips inline event handlers (onload on svg)', function () {
+      var xss = '<svg onload="alert(1)"></svg>';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toMatch(/onload/i);
+      expect(out).not.toContain('alert(1)');
+    });
+    it('strips javascript: URLs in href', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<a href="javascript:alert(1)">x</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toMatch(/javascript:/i);
+    });
+    it('strips javascript: URLs in img src', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<img src="javascript:alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toMatch(/javascript:/i);
+    });
+    it('strips data: URLs that contain HTML/JS in iframe src', function () {
+      var xss = '<iframe src="data:text/html,<script>alert(1)</script>"></iframe>';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toContain('alert(1)');
+    });
+    it('strips <object> tags', function () {
+      var xss = '<object data="evil.swf"></object>';
+      expect(sanitizeHtml(xss)).not.toContain('<object');
+    });
+    it('strips <embed> tags', function () {
+      var xss = '<embed src="evil.swf">';
+      expect(sanitizeHtml(xss)).not.toContain('<embed');
+    });
+    it('strips <form> tags (CSRF / phishing surface)', function () {
+      var xss = '<form action="https://evil.com"><input name=x></form>';
+      expect(sanitizeHtml(xss)).not.toContain('<form');
+    });
+    it('strips style tags (CSS-based exfil / clickjacking)', function () {
+      var xss = '<style>body{background:url(//evil.com/?c=)}</style>';
+      expect(sanitizeHtml(xss)).not.toContain('<style');
+    });
+    it('strips <meta http-equiv refresh> redirects', function () {
+      var xss = '<meta http-equiv="refresh" content="0;url=https://evil.com">';
+      expect(sanitizeHtml(xss)).not.toContain('<meta');
+    });
+    it('strips <base> tag (can rewrite all relative URLs)', function () {
+      var xss = '<base href="https://evil.com/">';
+      expect(sanitizeHtml(xss)).not.toContain('<base');
+    });
+    it('strips encoded onerror payloads', function () {
+      var xss = '<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toMatch(/onerror/i);
+    });
+    it('strips mixed-case obfuscated script tags', function () {
+      var xss = '<ScRiPt>alert(1)</sCrIpT>';
+      var out = sanitizeHtml(xss);
+      expect(out).not.toMatch(/<script/i);
+      expect(out).not.toContain('alert(1)');
+    });
+  });
+  describe('benign HTML (should be preserved)', function () {
+    it('preserves basic formatting tags', function () {
+      var html = '<p>Hello <strong>world</strong> <em>!</em></p>';
+      expect(sanitizeHtml(html)).toBe(html);
+    });
+    it('preserves links with safe http(s) hrefs', function () {
+      var html = '<a href="https://example.com">link</a>';
+      expect(sanitizeHtml(html)).toContain('href="https://example.com"');
+    });
+    it('preserves lists', function () {
+      var html = '<ul><li>a</li><li>b</li></ul>';
+      expect(sanitizeHtml(html)).toBe(html);
+    });
+    it('preserves Canvas RCE iframes (Studio / media embeds)', function () {
+      var html = '<iframe src="https://canvas.instructure.com/media_objects_iframe/123" ' + 'allowfullscreen="" allow="fullscreen" frameborder="0" ' + 'data-media-id="123" data-media-type="video"></iframe>';
+      var out = sanitizeHtml(html);
+      expect(out).toContain('<iframe');
+      expect(out).toContain('data-media-id="123"');
+      expect(out).toContain('data-media-type="video"');
+      expect(out).toContain('allowfullscreen');
+    });
+  });
+  describe('link hardening', function () {
+    it('adds rel="noopener noreferrer" to target=_blank links', function () {
+      var html = '<a href="https://example.com" target="_blank">x</a>';
+      var out = sanitizeHtml(html);
+      expect(out).toMatch(/rel=["'][^"']*noopener[^"']*["']/);
+      expect(out).toMatch(/rel=["'][^"']*noreferrer[^"']*["']/);
+    });
   });
 });

package/es/translated/zh-Hant/lib/sanitize.js CHANGED Viewed

@@ -1,29 +1,25 @@
-import _objectSpread from "@babel/runtime/helpers/esm/objectSpread2";
-import libSanitizeHtml from 'sanitize-html';
-function transformEquationImage(tagName, attribs) {
-  return {
-    tagName: tagName,
-    attribs: _objectSpread(_objectSpread({}, attribs), {}, {
-      src: "https://canvas.instructure.com".concat(attribs.src),
-      style: 'vertical-align: middle'
-    })
-  };
-}
-function transformImage(tagName, attribs) {
-  if (attribs.src != null && attribs.src.indexOf('/equation_images') === 0) {
-    return transformEquationImage(tagName, attribs);
+import DOMPurify from 'dompurify';
+var CONFIG = {
+  ADD_TAGS: ['iframe'],
+  ADD_ATTR: ['allowfullscreen', 'allow', 'frameborder', 'sandbox', 'target', 'data-media-id', 'data-media-type'],
+  FORBID_TAGS: ['form', 'input', 'button', 'textarea', 'select', 'option']
+};
+// Rewrite Canvas equation-image relative URLs to absolute,
+// preserving the previous behavior of this module.
+DOMPurify.addHook('afterSanitizeAttributes', function (node) {
+  if (node.tagName === 'IMG') {
+    var src = node.getAttribute('src') || '';
+    if (src.indexOf('/equation_images') === 0) {
+      node.setAttribute('src', "https://canvas.instructure.com".concat(src));
+      node.setAttribute('style', 'vertical-align: middle');
+    }
+  }
+  // Harden links opened in a new tab against tab-nabbing.
+  if (node.tagName === 'A' && node.getAttribute('target') === '_blank') {
+    node.setAttribute('rel', 'noopener noreferrer');
   }
-  return {
-    tagName: tagName,
-    attribs: attribs
-  };
-}
+});
 export function sanitizeHtml(html) {
-  return libSanitizeHtml(html, {
-    allowedTags: false,
-    allowedAttributes: false,
-    transformTags: {
-      img: transformImage
-    }
-  });
+  return DOMPurify.sanitize(html == null ? '' : html, CONFIG);
 }

package/lib/components/Gradebook/popovers/StudentPopover/__tests__/index.test.js CHANGED Viewed

@@ -257,80 +257,156 @@ describe('StudentPopover', function () {
       }, _callee0);
     })));
   });
-  describe('Loading State', function () {
-    it('shows a spinner when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee1() {
-      var _t6;
+  describe('Security', function () {
+    it('does not render the mastery report link for a javascript: URI', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee1() {
       return (0, _regenerator2.default)().w(function (_context1) {
         while (1) switch (_context1.n) {
           case 0:
             renderComponent({
-              isLoading: true
+              studentGradesUrl: 'javascript:alert(document.cookie)'
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
-            _t6 = expect;
             _context1.n = 1;
-            return _react2.screen.findByTitle('Loading user details');
+            return _react2.screen.findByText('Message');
           case 1:
-            _t6(_context1.v).toBeInTheDocument();
+            expect(_react2.screen.queryByText('View Mastery Report')).not.toBeInTheDocument();
           case 2:
             return _context1.a(2);
         }
       }, _callee1);
     })));
-    it('does not show student details when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee10() {
+    it('does not render the mastery report link for a data: URI', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee10() {
       return (0, _regenerator2.default)().w(function (_context10) {
         while (1) switch (_context10.n) {
           case 0:
             renderComponent({
-              isLoading: true
+              studentGradesUrl: 'data:text/html,<script>alert(1)</script>'
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
             _context10.n = 1;
-            return _react2.screen.findByTitle('Loading user details');
+            return _react2.screen.findByText('Message');
           case 1:
-            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+            expect(_react2.screen.queryByText('View Mastery Report')).not.toBeInTheDocument();
           case 2:
             return _context10.a(2);
         }
       }, _callee10);
     })));
-  });
-  describe('Error State', function () {
-    it('shows an error message when error prop is provided', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee11() {
-      var _t7;
+    it('renders the mastery report link for a safe https URL', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee11() {
+      var safeUrl, masteryLink;
       return (0, _regenerator2.default)().w(function (_context11) {
         while (1) switch (_context11.n) {
           case 0:
+            safeUrl = 'https://canvas.instructure.com/courses/123/grades/1';
             renderComponent({
-              error: 'Failed to load student details'
+              studentGradesUrl: safeUrl
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
-            _t7 = expect;
             _context11.n = 1;
-            return _react2.screen.findByText('Failed to load student details');
+            return _react2.screen.findByText('View Mastery Report');
           case 1:
-            _t7(_context11.v).toBeInTheDocument();
+            masteryLink = _context11.v;
+            expect(masteryLink.closest('a')).toHaveAttribute('href', safeUrl);
           case 2:
             return _context11.a(2);
         }
       }, _callee11);
     })));
-    it('does not show student details when error is present', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee12() {
+    it('renders the mastery report link for a safe http URL', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee12() {
+      var safeUrl, masteryLink;
       return (0, _regenerator2.default)().w(function (_context12) {
         while (1) switch (_context12.n) {
           case 0:
+            safeUrl = 'http://canvas.instructure.com/courses/123/grades/1';
             renderComponent({
-              error: 'Something went wrong'
+              studentGradesUrl: safeUrl
             });
             _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
             _context12.n = 1;
-            return _react2.screen.findByText('Something went wrong');
+            return _react2.screen.findByText('View Mastery Report');
           case 1:
-            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+            masteryLink = _context12.v;
+            expect(masteryLink.closest('a')).toHaveAttribute('href', safeUrl);
           case 2:
             return _context12.a(2);
         }
       }, _callee12);
     })));
   });
+  describe('Loading State', function () {
+    it('shows a spinner when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee13() {
+      var _t6;
+      return (0, _regenerator2.default)().w(function (_context13) {
+        while (1) switch (_context13.n) {
+          case 0:
+            renderComponent({
+              isLoading: true
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _t6 = expect;
+            _context13.n = 1;
+            return _react2.screen.findByTitle('Loading user details');
+          case 1:
+            _t6(_context13.v).toBeInTheDocument();
+          case 2:
+            return _context13.a(2);
+        }
+      }, _callee13);
+    })));
+    it('does not show student details when isLoading is true', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee14() {
+      return (0, _regenerator2.default)().w(function (_context14) {
+        while (1) switch (_context14.n) {
+          case 0:
+            renderComponent({
+              isLoading: true
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _context14.n = 1;
+            return _react2.screen.findByTitle('Loading user details');
+          case 1:
+            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+          case 2:
+            return _context14.a(2);
+        }
+      }, _callee14);
+    })));
+  });
+  describe('Error State', function () {
+    it('shows an error message when error prop is provided', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee15() {
+      var _t7;
+      return (0, _regenerator2.default)().w(function (_context15) {
+        while (1) switch (_context15.n) {
+          case 0:
+            renderComponent({
+              error: 'Failed to load student details'
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _t7 = expect;
+            _context15.n = 1;
+            return _react2.screen.findByText('Failed to load student details');
+          case 1:
+            _t7(_context15.v).toBeInTheDocument();
+          case 2:
+            return _context15.a(2);
+        }
+      }, _callee15);
+    })));
+    it('does not show student details when error is present', /*#__PURE__*/(0, _asyncToGenerator2.default)(/*#__PURE__*/(0, _regenerator2.default)().m(function _callee16() {
+      return (0, _regenerator2.default)().w(function (_context16) {
+        while (1) switch (_context16.n) {
+          case 0:
+            renderComponent({
+              error: 'Something went wrong'
+            });
+            _react2.fireEvent.click(_react2.screen.getByTestId('student-cell-link'));
+            _context16.n = 1;
+            return _react2.screen.findByText('Something went wrong');
+          case 1:
+            expect(_react2.screen.queryByTestId('lmgb-student-popover-avatar')).not.toBeInTheDocument();
+          case 2:
+            return _context16.a(2);
+        }
+      }, _callee16);
+    })));
+  });
 });

package/lib/components/Gradebook/popovers/StudentPopover/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/Gradebook/popovers/StudentPopover/index.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,EAAY,KAAK,SAAS,EAAE,MAAM,OAAO,CAAA;AAcvD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAyB7D,KAAK,UAAU,GACX;IAAE,cAAc,EAAE,SAAS,CAAC;IAAC,SAAS,CAAC,EAAE,KAAK,CAAC;IAAC,WAAW,CAAC,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,EAAE,KAAK,CAAA;CAAE,GACvF;IAAE,cAAc,CAAC,EAAE,KAAK,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAAA;AAE3F,KAAK,iBAAiB,GAClB;IAAE,qBAAqB,EAAE,SAAS,CAAC;IAAC,aAAa,CAAC,EAAE,KAAK,CAAA;CAAE,GAC3D;IAAE,qBAAqB,CAAC,EAAE,KAAK,CAAC;IAAC,aAAa,CAAC,EAAE,oBAAoB,CAAA;CAAE,CAAA;AAE3E,KAAK,UAAU,GACX;IAAE,eAAe,EAAE,SAAS,CAAC;IAAC,gBAAgB,CAAC,EAAE,KAAK,CAAA;CAAE,GACxD;IAAE,eAAe,CAAC,EAAE,KAAK,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAAA;AAEzD,MAAM,MAAM,mBAAmB,GAAG;IAChC,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,CAAC,EAAE,OAAO,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,sBAAsB,CAAC,EAAE,CAAC,SAAS,EAAE,OAAO,KAAK,IAAI,CAAA;CACtD,GAAG,UAAU,GAAG,iBAAiB,GAAG,UAAU,CAAA;~~AA2K~~/C,eAAO,MAAM,cAAc,EAAE,KAAK,CAAC,EAAE,CAAC,mBAAmB,CAwFxD,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/Gradebook/popovers/StudentPopover/index.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,EAAY,KAAK,SAAS,EAAE,MAAM,OAAO,CAAA;AAcvD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AAyB7D,KAAK,UAAU,GACX;IAAE,cAAc,EAAE,SAAS,CAAC;IAAC,SAAS,CAAC,EAAE,KAAK,CAAC;IAAC,WAAW,CAAC,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,EAAE,KAAK,CAAA;CAAE,GACvF;IAAE,cAAc,CAAC,EAAE,KAAK,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAAA;AAE3F,KAAK,iBAAiB,GAClB;IAAE,qBAAqB,EAAE,SAAS,CAAC;IAAC,aAAa,CAAC,EAAE,KAAK,CAAA;CAAE,GAC3D;IAAE,qBAAqB,CAAC,EAAE,KAAK,CAAC;IAAC,aAAa,CAAC,EAAE,oBAAoB,CAAA;CAAE,CAAA;AAE3E,KAAK,UAAU,GACX;IAAE,eAAe,EAAE,SAAS,CAAC;IAAC,gBAAgB,CAAC,EAAE,KAAK,CAAA;CAAE,GACxD;IAAE,eAAe,CAAC,EAAE,KAAK,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAAA;AAEzD,MAAM,MAAM,mBAAmB,GAAG;IAChC,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,CAAC,EAAE,OAAO,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,sBAAsB,CAAC,EAAE,CAAC,SAAS,EAAE,OAAO,KAAK,IAAI,CAAA;CACtD,GAAG,UAAU,GAAG,iBAAiB,GAAG,UAAU,CAAA;AA6K/C,eAAO,MAAM,cAAc,EAAE,KAAK,CAAC,EAAE,CAAC,mBAAmB,CAwFxD,CAAA"}

package/lib/components/Gradebook/popovers/StudentPopover/index.js CHANGED Viewed

@@ -108,6 +108,9 @@ var MasteryScores = function MasteryScores(_ref2) {
     }, bucket.count)));
   }))));
 };
+var isSafeUrl = function isSafeUrl(url) {
+  return /^(https?:\/\/|\/)/i.test(url);
+};
 var Actions = function Actions(_ref3) {
   var studentGradesUrl = _ref3.studentGradesUrl;
   var _useState = (0, _react.useState)(false),
@@ -130,7 +133,7 @@ var Actions = function Actions(_ref3) {
     borderWidth: "none small none none",
     width: "0px",
     height: "1.4rem"
-  }), studentGradesUrl && /*#__PURE__*/_react.default.createElement(_uiFlex.Flex.Item, null, /*#__PURE__*/_react.default.createElement(_uiLink.Link, {
+  }), studentGradesUrl && isSafeUrl(studentGradesUrl) && /*#__PURE__*/_react.default.createElement(_uiFlex.Flex.Item, null, /*#__PURE__*/_react.default.createElement(_uiLink.Link, {
     href: studentGradesUrl,
     variant: "standalone"
   }, /*#__PURE__*/_react.default.createElement(_uiText.Text, {