Open edX安全警告: XSS Vulnerability in Teams Feature

Security Alert

Severity: High
Category: XSS
Affected Projects: edx-platform
Reporter: self-reported
Permanent URL:

During an internal code-review of the edx-platform code it was discovered that a bug allowed user submitted content to contain JavaScript that would execute in an end-user’s browswer.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6960 to this issue. This is an entry on the CVE list (, which standardizes names for security problems.

More Information

This bug made it possible for an end user to create a team containing JavaScript code in its name and have this code executed in another user’s browser.

The fix is to correctly escape Javascript in team names before displaying them on the page.

The bug was fixed in this commit.

Open edX涉及到的License


Open edX uses both the AGPL and the Apache license.  The code in Open edX is spread across a number of repositories on GitHub, and each is licensed under either the AGPL or the Apache license.

The AGPL (GNU Affero General Public License) is maintained by the Free Software Foundation. It allows for use and sharing of unmodified code, modifying code, and the use and sharing of modified code.

Under the AGPL, when you modify the Open edX platform, you must share those modifications.

The Apache License is maintained by the Apache Foundation. It allows for the same use, sharing, and modification as the AGPL, but modifications can be shared under a license other than the AGPL.

The Open edX code falls into three main categories: core components of the Open edX platform, libraries used by others to access the platform through our APIs, and tools that are not particular to the Open edX platform. Each of these categories has its own licensing considerations.

Code that is essential to the Open edX platform is AGPL. This license ensures that all changes to the platform are shared, guaranteeing that the platform is truly an open resource and that everyone will benefit from the improvements. This includes, but is not limited to:

Code that is used by others to access edX APIs is Apache. The propagating nature of the AGPL makes it difficult for some people to adopt. For repositories where broad use is more important than shared improvements, edX uses the Apache license. This includes API libraries such as XBlock.

Broad-interest, or developer, tools are also Apache. These are tools that have nothing in particular to do with Open edX, and do not run as part of the platform. They could be of interest to any Python developer, for example. Tools like this will be Apache-licensed to enable their broader use and adoption. This includes tools such as bok choy.

To figure out which license a given repository uses, read the licensing file contained in the GitHub repository.

If you have any questions about edX’s licensing strategy, feel free to ask on the edx-code mailing list.

Open edX 及其模块授权协议 Affero GNU General Public License

Nginx Web服务器授权协议 2-clause BSD-like license

mongoDB 数据库授权协议 GNU AGPL v3.0 License,

Mysql 数据库授权协议 GNU General Public License v2

Django 框架授权协议 BSD license

Python 授权协议 Python License

Node.js 授权协议 MIT License

Ruby授权协议 Ruby License and GPLt

Rails授权协议 MIT license

RubyGems 授权协议 Ruby License

Rake 授权协议 Ruby License


Rmagick授权协议 MIT license,

OpenSSL 授权协议 Apache License

Ncurses 授权协议 MIT license,

Readline 授权协议 GPL license

Zlib 授权协议 zlib License

Libiconv 授权协议 LGPL license

Expat 授权协议 MIT license

Freetype 授权协议 The Freetype Project License

Open edX Cypress完整汉化语言包



sudo -u edxapp bash
source /edx/app/edxapp/edxapp_env

cd /edx/app/edxapp/edx-platform/conf/locale/zh_CN/LC_MESSAGES/
rm *

cd /edx/app/edxapp/edx-platform
paver i18n_fastgenerate

sudo /edx/bin/supervisorctl restart edxapp:


sudo -u edxapp bash
source /edx/app/edxapp/edxapp_env

2.编辑django.po 或djangojs.po
vi django.po
vi djangojs.po

cd /edx/app/edxapp/edx-platform
paver i18n_fastgenerate
sudo /edx/bin/supervisorctl restart edxapp:


在部署使用Open edX的过程中,一个普遍的问题是:视频放在哪儿?

Open edX本身并不是设计来存储视频的。edX本质上提供了一套学习工具和学习过程,而一些比较专业化的资源是置于外部的,比如视频以及机器学习、自动评分等等。





  • 内网是和外网隔离的,用户不能使用外网视频云。
  • 内网和外网链接的速度有限,而且内网有足够的计算存储资源用来存储视频。
  • 只希望视频资源在内网可访问。







视频版权保护DRM方面,可见这个讨论,W3C已经提出了EME(Encrypted Media Extensions)标准,并已经得到支持。不过目前还并不能在HTML5中很方便的进行视频版权保护。




The ngx_http_flv_module module provides pseudo-streaming server-side support for Flash Video (FLV) files.

It handles requests with the start argument in the request URI’s query string specially, by sending back the contents of a file starting from the requested byte offset and with the prepended FLV header.

The ngx_http_mp4_module module provides pseudo-streaming server-side support for MP4 files. Such files typically have the .mp4, .m4v, or .m4a filename extensions.

Pseudo-streaming works in alliance with a compatible Flash player. The player sends an HTTP request to the server with the start time specified in the query string argument (named simply start and specified in seconds), and the server responds with the stream such that its start position corresponds to the requested time, for example:

The ngx_http_hls_module module provides HTTP Live Streaming (HLS) server-side support for MP4 and MOV media files. Such files typically have the .mp4, .m4v, .m4a, .mov, or .qt filename extensions. The module supports H.264 video codec, AAC and MP3 audio codecs.



那么不安装附加的组件是否就不可以在HTML5播放器对视频进行时间定位?W3C有一个标准Media Fragments URI,可以实现浏览器传递时间参数。可以在浏览器输入 课程视频来测试。在视频后面加入不同的参数:









Open edX的生产环境性能和架构

github wiki有一篇文档说明了edx.org的架构 部署 通过AWS cloudformation部署在EC2。你可以看到cloudformation的摸板



ELB Elastic Load Balancing


EdXApp Servers (10 c3.4xlarge instances)

  • edxapp.yml
  • 1 external ELB hosting

Forum Servers (2 m1.large instances)

  • forum.yml
  • 1 internal ELB hosting

CommonCluster Servers (3 m3.large instances)

  • commoncluster.yml
  • 4 internal ELBs hosting
    • ElasticSearch
    • RabbitMQ
    • XQueue
    • XQueue internal

Worker Servers (2 m2.4xlarge instances)

xqwatcher Servers (2 m3.medium instances)

Insights Servers (2 m3.medium instances)

Certificates Servers (1 m3.medium instance)

MongoDB Hosted via

MySQL Hosted via AWS RDS (Multi-AZ deployment of size db.m2.4xlarge)

  • Can also be deployed using a cluster of any mysql compatible database server.


  • Various legacy graders
  • Analytics related servers
  • Admin & Monitoring servers


  • edXAPP,包含LMS/CMS
  • 论坛
  • 一般节点,包含rabbitMQ/Xqueue
  • Worker,后端进程
  • xqwatcher,外部分析
  • Insight,数据分析
  • Certs,证书组件
  • MonogoDB节点
  • Mysql节点
  • 其他,如管理监控

微软发布新的Insert / Embed File XBlock,微软在Office Mix XBlock之后,发布了新的Insert / Embed File XBlock。

最初微软是打算将Open edX和Office365进行整合,然后最终却开发出一个整合各种Public URL的文件共享Xblock。这个Xblock允许课程作者嵌入一个文件服务提供商的链接,目前已经测试的包括Box, Dropbox, Google docs, Office Mix, OneDrive, Slideshare, Soundcloud, TED, YouTube等。这里有完整的列表


同时,Cypress版本也增加了对Office365的单点登录支持。这个支持是由 OpenCraft 的 Braden MacDonald 所贡献。

2015年Open edX会议内容介绍


Mitch Resnick




Jeff Jaffe

Jeff Jaffe,万维网联盟(W3C)的首席执行官。


万维网联盟(W3C)在超过20年前由Web的发明者Tim Berners-Lee创建,确保万维网的长期增长。在他的主题演讲中,Jeff博士将说明为什么开放的网络标准对于网络的成功、使网络成为共享知识的自由,开放和无障碍环境是至关重要的。已被使用的一种机制,是直接从W3C提供这些标准的教育。这已经成为一个路径,从W3DevCampus培训计划扩大到了非常成功的推出了W3C在EDX的课程“从W3C了解HTML5”的X系列课程。


部署和开发Open edX平台

  • OpenStack和edX  / Adolfo Brandes and Florian Haas

在OpenStack中运行Open edX,在实验室环境中按需提供给学生使用。

  • UQx澳大利亚昆士兰大学的务实发展课程 /  Andrew Dekker and John Zornig


  • Life in the Avant-Garde /  Regis Behmo


  • 在飞行的时候建造飞机 – 迁移现有MOOC到EDX  / Mike Bifulco, Andrew Miller, Jeremy Osborn, and Michael Bingham-Hawk

在过去的一年中,Aquent公司的设计师MOOC平台Gymnasium已由第三方的SaaS平台迁移到Open  edX。在这次演讲中,我们将讨论我们的迁移 – 包括需求收集,主题和edX的定制,数以千计的现有学生档案的迁移,创造edX课程,建立生产部署环境,托管合作伙伴的生命周期。

  • 配置入门 / Feanil Patel

Open edX使用ansible进行配置管理。本演讲介绍配置仓库的概述,介绍我们ansible角色的布局和组织,对如何使用它们的一些例子。

  • 向 Open edX贡献代码 / Xavier Antoviaque and Sarina Canelake


  • Open edX与校园系统的整合 / Beth Porter, Braden MacDonald, and Phil MacGachey

Open edX平台的两个主要优点在于支持互操作的校园系统,即机构身份提供者和学习管理系统。通过使用SAML(Security Assertion Markup Language)和Shibboleth我们现在允许学生使用他们学校认证来登录Open edX。使用LTI(Learning Tools Interoperability),我们也允许教师平滑地融入Open edX教学内容到Canvas和Blackboard的课程。使用这些开放式的教育标准,我们加入了服务提供商的大型社区,在这里允许学习者使用在线学习资源来丰富自己的校园为基础的体验。在这次演讲中,我们将讨论这些平台方面的能力,以及用于设计,验证和实现功能的过程。

  • 为了可用性开发 / Mark Sadeki

edX致力于使Open edX平台成为一个完全可用的平台,这也是我们的目标,价值观,愿景和使命,使我们的合作伙伴和社区为每个人创造高质量的教育经验。edX可用协调员Mark Sadecki将谈论正在进行的努力,使平台符合WCAG 2.0 AA标准(以及这个的含义),并且还将指出Open edX贡献者可能会遇到常见的可访问性挑战的细节。

  • 组织最大的Open edX黑客马拉松+ 冠军: 在视频中嵌入练习的Xblock / Laurent David, Philippe Chiu, Elie Mietkiewicz, Arnaud Wijns, Hajar Mouradi

找出在#openedxhack所学到的, 在法国举办的第一届 Open edX 黑客马拉松, 也是有史以来最大的超过 180 个参与者。我们想鼓励人们组织更多的 Open edX 黑客马拉松来分享最佳实践。法国Open edX Hackathon 的获胜团队也会展示项目:使用Xblock在视频中嵌入问答题。


ANALYSE: A learning analytics extension for Open edX

Pedro Jose Munoz Merino

This talk aims at presenting ANALYSE, a learning analytics tool developed for Open edX at Universidad Carlos III de Madrid. We will present the defined and implemented higher level indicators as transformation of low level data in ANALYSE as well as the correspondent visualizations. In addition, we will present ways of how to use ANALYSE by teachers and students in order to improve the learning process. You can find a video demo of ANALYSE on YouTube.

Digging through the data – MoocCzar

Andrew Dekker and John Zornig

This talk discusses the research data package that edX provides to partners, and how this data can be explored to learn more about the students taking our courses. To assist in this, we have developed a platform – MoocCzar, an open source project which helps edX teams uncover and disseminate data gathered from edX courses. The talk discusses the development and future of MoocCzar, and how this learning data can help influence future course design and development.

Analytics from edX


EdX will present the current state and future roadmap of Insights. We will also highlight how the open community has contributed to its success and how you can too.

Real Time Analytics Using ELK

Felipe Montoya

This talk presents an application of the opensource ELK stack (Elasticsearch, Logstash and Kibana) to deliver actionable insights in real time from edX tracking log records.

Open edX实施中的课程

Leveraging Open Edx for Corporate Training

Cathy Herbert

Today’s corporate learner needs access to ondemand training delivered in easily consumable chunks – anytime, anywhere. They also need a forum to “talk to the instructor.” Open Edx provides the perfect platform for a blended training model which gives users what they need and better utilizes your training resources. (often product managers, or functional leaders). Targeted Sales Training for internal employees and partners – while traditional testing methods are effective, Edx gives us the ability to run “Best in Class” sales competitions (based on videos submitted by the employee/partner). This is huge – the system gives us the ability to have Sales professionals practice their pitch and get direct feedback from their manager and team members.

Deploying SPOCs in a University Institution with Open edX: What Do We Need?

Jose A. Ruiperez-Valiente

The presentation try to describe the experience of creating and exploiting of SPOCs at UC3M for use to supplement classroom training (flipping classroom) using the Open edX platform. In the presentation we will try various aspects like customizing the platform to adapt to our environment (for example LDAP support) and additional software tools which we have had to be developed to facilitate the whole process management and content creation, which takes associated with the creation of a MOOCs / SPOCs. In addition we have developed several XBlocks to include new features to our courses. We finally will treat aspects that an organization has to take into account to successfully approach these projects.

Building Successful Open edX Instructors from Non-Faculty Domain Experts

Julie Mullen, Lauren Edwards, and Vijay Gadepally

Traditionally, the knowledge held by professional engineers, scientists and researchers has only been accessible to a small number of co-workers. The open edX platform enables MIT Lincoln Laboratory to share the knowledge of world-class domain experts through technical education courses highlighting theory and its use in practice. Building successful online courses requires that technical professionals, with limited teaching experience, develop a teaching mindset. In this presentation we discuss the approaches used to help non-faculty instructors gain an awareness of the open edX andragogy and the path followed to transition from presenter to educational guide.

Navigating Barriers to Implementation of an International Medical Training Course in Developing Nations

Nicholus Warstadt, Silvia Vaca, and Feroze Naina

Clubfoot is a congenital birth deformity easily and effectively treatable by the low-resource requiring and non-surgical Ponseti method, but knowledge of this technique has yet to disseminate to rural hospitals and clinics in developing countries. Current training practices are dominated by non-profit organizations investing extensive time, resources, and man-power to host centralized, annual trainings. Here, we describe our experience in working with these same non-profit organizations to develop and implement a standardized digital training through the Open edX platform, including barriers of technology, multi-instance administration, and the need for content customization.

Online Geospatial Education in Africa through the Open edX Platform: Possibilities and Limitations

Thomas Ballatore

Here, we discuss the particular challenges of translating a set of successful onsite geospatial training courses into a set of Open edX online courses for learners in Africa. We present work done in 14 countries (Algeria, Burundi, Chad, Cote d’Ivoire, DR Congo, Egypt, Ethiopia, Kenya, Malawi, Morocco, Rwanda, Tanzania, Uganda, and Zimbabwe) about user experience with current edX courses as well as experience and lessons for planned Open edX courses on geospatial topics.

课程创作和扩展Open edX平台

MIT Learning Object Repository for Education

Ferdi Alimadhi

We will discuss our new project for managing courseware content across courses, disciplines and runs via our LORE project ( LORE allows you to import Open edX courses and be paired with meta data from analytics such as the average grade, or number of attempts. From there you can use it to find, categorize, and mix and match problems or whole sections of different courses to share and re-use existing content in new ways.

Semantic Tagging Using Asides in Studio

Cole Shaw and Ross Strader

In this talk, we will discuss one of the first implementations of XBlock Asides, which we use to semantically tag problems in edX courses. Both MIT and the Open Learning Initiative at Stanford will present on their respective use cases and show how Asides can enhance the student and instructor experiences.

Open edX and Adaptive Learning

Ed Daciuk

Adaptive learning. You’ve heard the hype; now learn how to deliver on its promise and potential. Focussing on the intersection of Open edX and adaptive learning technology, this discussion will delve into recent developments that allows the Open edX platform to provide adaptive learning pathways to users. We will discuss the emerging landscape of adaptive technology, illustrate the use cases for integrating adaptive learning into the Open edX platform, and show how a major international corporation is integrating third party solutions with Open edX to develop cutting edge, scalable courses with personalized learning pathways for traditionally static areas like corporate training and regulatory compliance.


Google Course Builder与Xblock


CourseBuilder同时提供了一个组件,可以直接在课件中使用Xblock,或者导入Open edX创建的Xblock课件。只需要在edX的Studio中导出课程,然后就可以在CourseBuilder中导入。目前并非所有类型的Xblock都可以支持,仅支持视频、HTML富文本、多项选择题。



免安装使用Open edX的几个方式

由于Open edX安装的复杂性,目前有若干机构推出了无需安装使用Open edX的解决方案。这些方案适用于以下用户:

  • 不用于生产环境
  • 想看看edX有什么功能的最终用户
  • 专注于开发的edX研究者


  • Open edX中国社区Docker版

Open edX中国社区发布的用于演示和开发的Docker版本,由@wwj牵头的社区技术委员会基于Appsemble的Docker制作,修正了若干bug及进行汉化。

BitNami是一家专业的云计算公司,提供各种开源应用的虚拟机镜像及公有云镜像。可以在GCP、DigitalOcean一键部署,也提供可以完全本地安装无需翻墙的安装脚本。但是BitNami对Open edX目录和运行机制做了某种修改,所以还需要花一点时间熟悉其机制来进行开发。目前提供版本为Cypress。

专业提供Open edX相关服务的公司。提供了基于Docker方式的一键测试环境生成,可以试用24小时。当前版本为Birch。


  • eduStack OVA镜像



eduStack为2015年Open edX会议提供赞助



作为Open edX在国内的推广者和开发者,我们以Friends of Open edX身份赞助了2015 Open edX Con。详情请见

10月12-13日,Open edX社区将在麻省Wellesley举办会议。本次会议关注Open edX平台开发和使用。Open edX平台在全世界范围被用来承载大规模开放课程 (MOOCs) 以及小班课程和培训模块。会议的参与者为开发者,系统管理员,教育专家及其他想了解Open edX平台的人。