Merge pull request #11929 from edx/nasthagiri/css-template2

XSS Safe templates

lms/templates/survey/survey.html

+<%page expression_filter="h"/>
 <%inherit file="../main.html" />
 <%namespace name='static' file='../static_content.html'/>
 <%!
@@ -26,7 +27,7 @@ from django.utils import html
         <div class="header-survey">
           <h4 class="course-info">
             <span class="course-org">${course.display_org_with_default}</span><span class="course-number"> ${course.display_number_with_default}</span>
-            <span class="course-name">${course.display_name | h}</span>
+            <span class="course-name">${course.display_name}</span>
           </h4>
           <h3 class="title">${_("Pre-Course Survey")}</h3>
         </div>
@@ -41,7 +42,7 @@ from django.utils import html
         <ul class="message-copy"> </ul>
       </div>
 
-      ${survey_form}
+      ${survey_form | n, unicode}
 
       <div class="form-actions">
         <button name="submit" type="submit" id="submit" class="action action-primary action-update">${_('Submit')}</button>

lms/templates/tab_module.html

+<%page expression_filter="h"/>
+<%!
+from openedx.core.djangolib.js_utils import (
+    dump_js_escaped_json, js_escaped_string
+)
+%>
+
 <div id="tab_${id}" class="tab">
   <ul class="navigation"></ul>
 </div>
@@ -5,7 +12,7 @@
 <%block name="js_extra">
 <script type="text/javascript">
   $(function(){
-      new Tab('${id}', ${items});
+      new Tab('${id | n, js_escaped_string}', ${items | n, dump_js_escaped_json});
   });
 </script>
 </%block>

lms/templates/themable-footer.html

 ## mako
+<%page expression_filter="h"/>
 <%namespace name='static' file='static_content.html'/>
 
 ## This file only exists as an additional layer of indirection to preserve

lms/templates/tracking_log.html

+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <html>
@@ -13,4 +14,4 @@
     </tr>
 % endfor
 </table>    
-</html>
\ No newline at end of file
+</html>

lms/templates/unsubscribe.html

+<%page expression_filter="h"/>
 <%!
+from openedx.core.djangolib.markup import Text, HTML
 from django.core.urlresolvers import reverse
 from django.utils.translation import ugettext as _
 from django.conf import settings
@@ -14,13 +16,16 @@ from django.conf import settings
     <hr class="horizontal-divider">
 
     <p>
-      ${_("You will no longer receive forum notification emails from {platform_name}. "
+      ${Text(
+        _("You will no longer receive forum notification emails from {platform_name}. "
           "You may {dashboard_link_start}return to your dashboard{link_end}. "
-          "If you did not mean to do this, {undo_link_start}you can re-subscribe{link_end}.").format(
-             platform_name=settings.PLATFORM_NAME,
-             dashboard_link_start="<a href='{}'>".format(reverse('dashboard')),
-             undo_link_start="<a id='resub_link' href='{}'>".format(reverse('resubscribe_forum_update', args=[token])),
-             link_end="</a>",)}
+          "If you did not mean to do this, {undo_link_start}you can re-subscribe{link_end}."
+        )).format(
+            platform_name=settings.PLATFORM_NAME,
+            dashboard_link_start=HTML("<a href='{}'>".format(reverse('dashboard'))),
+            undo_link_start=HTML("<a id='resub_link' href='{}'>".format(reverse('resubscribe_forum_update', args=[token]))),
+            link_end=HTML("</a>"),
+        )}
     </p>
   </section>
 </section>

lms/templates/using.html

+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <h1>${_('Using the system')}</h1>