Update escaping and safe-templating usage

060b5bf9 · Brian Jacobel · ac37c12b · 060b5bf9 · 060b5bf9 · 060b5bf9
Commit 060b5bf9 authored Apr 22, 2016 by Brian Jacobel
Showing with 37 additions and 15 deletions

lms/templates/provider/authorize.html
+9 -4

lms/templates/registration/password_reset_complete.html
+9 -4

lms/templates/registration/password_reset_confirm.html
+17 -7

lms/templates/support/refund.html
+2 -0

No files found.
--- a/lms/templates/provider/authorize.html
+++ b/lms/templates/provider/authorize.html
 ## mako

+<%page expression_filter="h"/>
+
 <%!
 from django.utils.translation import ugettext as _
 from provider.templatetags.scope import scopes
 from django.core.urlresolvers import reverse
+from openedx.core.djangolib.markup import Text, HTML
 %>

 <%inherit file="../main.html"/>
@@ -14,9 +17,11 @@ from django.core.urlresolvers import reverse
 <div class="authorization-confirmation">
  % if not error:
  <p>
-  ${_("\n    <strong>{application_name}</strong> would like to access your data with the following permissions:\n  ".format(
-    application_name=client.name
-  ))}
+  ${Text(_("{start_strong}{application_name}{end_strong} would like to access your data with the following permissions:")).format(
+    start_strong=HTML("<strong>"),
+    application_name=client.name,
+    end_strong=HTML("</strong>")
+  )}
  </p>
  <ul>
    % for permission in scopes(oauth_data['scope']):
@@ -34,7 +39,7 @@ from django.core.urlresolvers import reverse
      % elif permission == "permissions":
        ${_("To see if you are a global staff user")}
      % else:
-        ${_("Manage your data: {permission}".format(permission=permission))}
+        ${_("Manage your data: {permission}").format(permission=permission)}
      % endif
    </li>
    % endfor

--- a/lms/templates/registration/password_reset_complete.html
+++ b/lms/templates/registration/password_reset_complete.html
 ## mako

-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>

 <%inherit file="../main.html"/>

@@ -27,9 +32,9 @@
            <div class="status submission-success" aria-live="polite">
                <h4 class="message-title">${_("Password Reset Complete")}</h4>
                <ul class="message-copy">
-                ${_(
-                    "Your password has been reset. {start_link}Sign-in to your account.{end_link}"
-                    .format(start_link='<a href="/login">', end_link='</a>')
+                ${Text(_("Your password has been reset. {start_link}Sign-in to your account.{end_link}")).format(
+                    start_link=HTML('<a href="/login">'),
+                    end_link=HTML('</a>')
                )}
                </ul>
            </div>

--- a/lms/templates/registration/password_reset_confirm.html
+++ b/lms/templates/registration/password_reset_confirm.html
 ## mako

-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>

 <%inherit file="../main.html"/>

 <%block name="title">
-    <title>${_("Reset Your {platform_name} Password".format(platform_name=platform_name))}</title>
+    <title>${_("Reset Your {platform_name} Password").format(platform_name=platform_name)}</title>
 </%block>

 <%block name="bodyextra">
@@ -18,7 +23,7 @@
 <div id="password-reset-confirm-container" class="login-register">
    <section id="password-reset-confirm-anchor" class="form-type">
        <div id="password-reset-confirm-form" class="form-wrapper" aria-live="polite">
-            <div class="status submission-error ${'hidden' if err_msg is None else ''}">
+            <div class="status submission-error ${'hidden' if not err_msg else ''}">
                <h4 class="message-title">${_("Error Resetting Password")}</h4>
                <ul class="message-copy">
                % if err_msg:
@@ -61,11 +66,16 @@
            <div class="status submission-error">
                <h4 class="message-title">${_("Invalid Password Reset Link")}</h4>
                <ul class="message-copy">
-                    ${_((
+                    ${Text(_((
                        "This password reset link is invalid. It may have been used already. To reset your password, "
-                        "go to the {start_link}sign-in{end_link} page and select <strong>Forgot password</strong>."
-                        ).format(start_link='<a href="/login">', end_link='</a>')
-                    )}
+                        "go to the {start_link}sign-in{end_link} page and select {start_strong}Forgot password{end_strong}."
+                        ))).format(
+                            start_link=HTML('<a href="/login">'),
+                            end_link=HTML('</a>'),
+                            start_strong=HTML('<strong>'),
+                            end_strong=HTML('</strong>')
+                        )
+                    }
                </ul>
            </div>
            % endif

--- a/lms/templates/support/refund.html
+++ b/lms/templates/support/refund.html
 ## mako

+<%page expression_filter="h"/>
+
 <%!
 from django.utils.translation import ugettext as _
 from django.utils.html import escape