XSS Safe default - header.html, navigation.html, help_modal.html

cms/templates/widgets/header.html

+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
 <%!
   from django.conf import settings
@@ -36,8 +37,8 @@
       <h2 class="info-course">
         <span class="sr">${_("Current Course:")}</span>
         <a class="course-link" href="${index_url}">
-          <span class="course-org">${context_course.display_org_with_default | h}</span><span class="course-number">${context_course.display_number_with_default | h}</span>
-          <span class="course-title" title="${context_course.display_name_with_default_escaped}">${context_course.display_name_with_default_escaped}</span>
+          <span class="course-org">${context_course.display_org_with_default}</span><span class="course-number">${context_course.display_number_with_default}</span>
+          <span class="course-title" title="${context_course.display_name_with_default}">${context_course.display_name_with_default}</span>
         </a>
       </h2>
 
@@ -139,8 +140,8 @@
       <h2 class="info-course">
         <span class="sr">${_("Current Library:")}</span>
         <a class="course-link" href="${index_url}">
-          <span class="course-org">${context_library.display_org_with_default | h}</span><span class="course-number">${context_library.display_number_with_default | h}</span>
-          <span class="course-title" title="${context_library.display_name_with_default_escaped}">${context_library.display_name_with_default_escaped}</span>
+          <span class="course-org">${context_library.display_org_with_default}</span><span class="course-number">${context_library.display_number_with_default}</span>
+          <span class="course-title" title="${context_library.display_name_with_default}">${context_library.display_name_with_default}</span>
         </a>
       </h2>
 

lms/templates/header.html

 ## mako
+<%page expression_filter="h"/>
 <%namespace name='static' file='static_content.html'/>
 <%include file="${static.get_themed_template_path(relative_path='theme-header.html', default_path='navigation.html')}" />

lms/templates/help_modal.html

+<%page expression_filter="h"/>
 <%namespace name='static' file='static_content.html'/>
 
 <%!
@@ -6,6 +7,8 @@ import pytz
 from django.conf import settings
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
+from openedx.core.djangolib.js_utils import js_escaped_string
+from openedx.core.djangolib.markup import Text, HTML
 from xmodule.tabs import CourseTabList
 %>
 
@@ -28,8 +31,8 @@ from xmodule.tabs import CourseTabList
 
     <header>
       <h2>
-	${_('{platform_name} Help').format(
-	    platform_name=u'<span class="edx">{}</span>'.format(static.get_platform_name())
+	${Text(_('{platform_name} Help')).format(
+	    platform_name=HTML(u'<span class="edx">{}</span>').format(static.get_platform_name())
 	)}
       </h2>
       <hr>
@@ -41,22 +44,30 @@ from xmodule.tabs import CourseTabList
 %>
 
 % if discussion_link:
-    <p>${_('For <strong>questions on course lectures, homework, tools, or materials for this course</strong>, post in the {link_start}course discussion forum{link_end}.').format(
-      link_start='<a href="{url}" target="_blank">'.format(url=discussion_link),
-      link_end='</a>',
+    <p>${Text(_('For {strong_start}questions on course lectures, homework, tools, or materials for this course{strong_end}, post in the {link_start}course discussion forum{link_end}.')).format(
+      strong_start=HTML('<strong>'),
+      strong_end=HTML('</strong>'),
+      link_start=HTML('<a href="{url}" target="_blank">').format(
+        url=discussion_link
+      ),
+      link_end=HTML('</a>'),
       )}
     </p>
 % endif
 
-    <p>${_('Have <strong>general questions about {platform_name}</strong>? You can find lots of helpful information in the {platform_name} {link_start}FAQ{link_end}.').format(
-        link_start='<a href="{url}" target="_blank">'.format(
+    <p>${Text(_('Have {strong_start}general questions about {platform_name}{strong_end}? You can find lots of helpful information in the {platform_name} {link_start}FAQ{link_end}.')).format(
+        strong_start=HTML('<strong>'),
+        strong_end=HTML('</strong>'),
+        link_start=HTML('<a href="{url}" target="_blank">').format(
           url=marketing_link('FAQ')
         ),
-        link_end='</a>',
+        link_end=HTML('</a>'),
         platform_name=static.get_platform_name())}
       </p>
 
-    <p>${_('Have a <strong>question about something specific</strong>? You can contact the {platform_name} general support team directly:').format(
+    <p>${Text(_('Have a {strong_start}question about something specific{strong_end}? You can contact the {platform_name} general support team directly:')).format(
+        strong_start=HTML('<strong>'),
+        strong_end=HTML('</strong>'),
         platform_name=static.get_platform_name()
       )}</p>
     <hr>
@@ -99,7 +110,7 @@ from xmodule.tabs import CourseTabList
       <textarea name="details" id="feedback_form_details" aria-required="true"></textarea>
       <input name="issue_type" type="hidden">
 % if course:
-      <input name="course_id" type="hidden" value="${course.id.to_deprecated_string() | h}">
+      <input name="course_id" type="hidden" value="${unicode(course.id)}">
 % endif
       <div class="submit">
         <input name="submit" type="submit" value="${_('Submit')}" id="feedback_submit">
@@ -131,16 +142,16 @@ from xmodule.tabs import CourseTabList
         close_time = "22:00"
     %>
     <p>
-    ${_(
+    ${Text(_(
         'Thank you for your inquiry or feedback.  We typically respond to a request '
         'within one business day (Monday to Friday, {open_time} UTC to {close_time} UTC.) In the meantime, please '
         'review our {link_start}detailed FAQs{link_end} where most questions have '
         'already been answered.'
-    ).format(
+    )).format(
         open_time=open_time,
         close_time=close_time,
-        link_start='<a href="{}" target="_blank" id="feedback-faq-link" tabindex="0">'.format(marketing_link('FAQ')),
-        link_end='</a>'
+        link_start=HTML('<a href="{}" target="_blank" id="feedback-faq-link" tabindex="0">').format(marketing_link('FAQ')),
+        link_end=HTML('</a>')
     )}
     </p>
   </div>
@@ -201,29 +212,32 @@ from xmodule.tabs import CourseTabList
     $("#feedback_link_problem").click(function(event) {
         showFeedback(
             event,
-            "${_('problem')}",
-            "${_('Report a Problem')}",
-            "${_('Brief description of the problem')}" + "*",
-            "${_('Details of the problem you are encountering')}" + "*" + "<span class='tip'>" +
-              "${_('Include error messages, steps which lead to the issue, etc.')}" + "</span>"
+            "${_('problem') | n, js_escaped_string}",
+            "${_('Report a Problem') | n, js_escaped_string}",
+            "${_('Brief description of the problem') + '*' | n, js_escaped_string}" ,
+            "${Text(_('Details of the problem you are encountering{asterisk}{begin_span}Include error messages, steps which lead to the issue, etc.{end_span}')).format(
+                asterisk='*',
+                begin_span=HTML('<span class=tip>'),
+                end_span=HTML('</span>'),
+            ) | n, js_escaped_string}"
         );
     });
     $("#feedback_link_suggestion").click(function(event) {
         showFeedback(
             event,
-            "${_('suggestion')}",
-            "${_('Make a Suggestion')}",
-            "${_('Brief description of your suggestion')}" + "*",
-            "${_('Details')}" + "*"
+            "${_('suggestion') | n, js_escaped_string}",
+            "${_('Make a Suggestion') | n, js_escaped_string}",
+            "${_('Brief description of your suggestion') + '*' | n, js_escaped_string}",
+            "${_('Details') + '*' | n, js_escaped_string}"
         );
     });
     $("#feedback_link_question").click(function(event) {
         showFeedback(
             event,
-            "${_('question')}",
-            "${_('Ask a Question')}",
-            "${_('Brief summary of your question')}" + "*",
-            "${_('Details')}" + "*"
+            "${_('question') | n, js_escaped_string}",
+            "${_('Ask a Question') | n, js_escaped_string}",
+            "${_('Brief summary of your question') + '*' | n, js_escaped_string}",
+            "${_('Details') + '*' | n, js_escaped_string}"
         );
     });
     $("#feedback_form").submit(function() {
@@ -251,21 +265,21 @@ from xmodule.tabs import CourseTabList
             $("#feedback_error").html(responseData.error).stop().css("display", "block");
         } else {
             // If no data (or malformed data) is returned, a server error occurred
-            htmlStr = "${_('An error has occurred.')}";
+            htmlStr = "${_('An error has occurred.') | n, js_escaped_string}";
 % if settings.FEEDBACK_SUBMISSION_EMAIL:
-            htmlStr += " " + _.template(
-              "${_('Please {link_start}send us e-mail{link_end}.')}", {interpolate: /\{(.+?)\}/g})(
-                {link_start: '<a href="#" id="feedback_email">', link_end: '</a>'}
-              );
+            htmlStr += " " + "${Text(_('Please {link_start}send us e-mail{link_end}.')).format(
+              link_start=HTML('<a href="#" id="feedback_email">'),
+              link_end=HTML('</a>'),
+            ) | n, js_escaped_string}";
 % else:
             // If no email is configured, we can't do much other than
             // ask the user to try again later
-            htmlStr += " " + "${_('Please try again later.')}";
+            htmlStr += " " + "${_('Please try again later.') | n, js_escaped_string}";
 % endif
             $("#feedback_error").html(htmlStr).stop().css("display", "block");
 % if settings.FEEDBACK_SUBMISSION_EMAIL:
             $("#feedback_email").click(function(e) {
-                mailto = "mailto:" + "${settings.FEEDBACK_SUBMISSION_EMAIL}" +
+                mailto = "mailto:" + "${settings.FEEDBACK_SUBMISSION_EMAIL | n, js_escaped_string}" +
                     "?subject=" + $("#feedback_form input[name='subject']").val() +
                     "&body=" + $("#feedback_form textarea[name='details']").val();
                 window.open(mailto);

lms/templates/navigation-edx.html

 ## mako
+<%page expression_filter="h"/>
 <%namespace name='static' file='static_content.html'/>
 <%namespace file='main.html' import="login_query"/>
 <%!
@@ -48,9 +49,9 @@ site_status_msg = get_site_status_msg(course_id)
 
     % if course and not disable_courseware_header:
     <h2 class="course-header">
-      <span class="provider">${course.display_org_with_default | h}:</span>
-      <span class="course-number">${course.display_number_with_default | h}</span>
-      <span class="course-name">${course.display_name_with_default_escaped}</span>
+      <span class="provider">${course.display_org_with_default}:</span>
+      <span class="course-number">${course.display_number_with_default}</span>
+      <span class="course-name">${course.display_name_with_default}</span>
     </h2>
     % endif
 
@@ -140,7 +141,15 @@ site_status_msg = get_site_status_msg(course_id)
 </header>
 % if course:
 <!--[if lte IE 9]>
-<div class="ie-banner" aria-hidden="true">${_('<strong>Warning:</strong> Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.').format(chrome_link='<a href="https://www.google.com/chrome" target="_blank">Chrome</a>', ff_link='<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>')}</div>
+<div class="ie-banner" aria-hidden="true">
+${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
+    begin_strong=HTML('<strong>'),
+    end_strong=HTML('</strong>'),
+    chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
+    ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
+  )
+}
+</div>
 <![endif]-->
 % endif
 

lms/templates/navigation.html

 ## mako
+<%page expression_filter="h"/>
 <%namespace name='static' file='static_content.html'/>
 <%namespace file='main.html' import="login_query"/>
 <%!
@@ -8,6 +9,7 @@ from django.utils.translation import ugettext as _
 from lms.djangoapps.ccx.overrides import get_current_ccx
 from microsite_configuration import microsite
 from microsite_configuration.templatetags.microsite import platform_name
+from openedx.core.djangolib.markup import Text, HTML
 from openedx.core.djangoapps.user_api.accounts.image_helpers import get_profile_image_urls_for_user
 
 # App that handles subdomain specific branding
@@ -48,10 +50,10 @@ site_status_msg = get_site_status_msg(course_id)
     </h1>
 
     % if course:
-    <h2 class="course-header"><span class="provider">${course.display_org_with_default | h}:</span>
-      <span class="course-number">${course.display_number_with_default | h}</span>
+    <h2 class="course-header"><span class="provider">${course.display_org_with_default}:</span>
+      <span class="course-number">${course.display_number_with_default}</span>
       <%
-        display_name = course.display_name_with_default_escaped
+        display_name = course.display_name_with_default
         if settings.FEATURES.get('CUSTOM_COURSES_EDX', False):
           ccx = get_current_ccx(course.id)
           if ccx:
@@ -194,7 +196,15 @@ site_status_msg = get_site_status_msg(course_id)
 </header>
 % if course:
 <!--[if lte IE 9]>
-<div class="ie-banner" aria-hidden="true">${_('<strong>Warning:</strong> Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.').format(chrome_link='<a href="https://www.google.com/chrome" target="_blank">Chrome</a>', ff_link='<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>')}</div>
+<div class="ie-banner" aria-hidden="true">
+${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
+    begin_strong=HTML('<strong>'),
+    end_strong=HTML('</strong>'),
+    chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
+    ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
+  )
+}
+</div>
 <![endif]-->
 % endif