XSS fixes

cms/templates/certificates.html
cms/templates/js/certificate-web-preview.underscore

cms/templates/certificates.html

@@ -88,12 +88,12 @@ CMS.User.isGlobalStaff = '${is_global_staff}'=='True' ? true : false;
             <h3 class="title-3">${_("Working with Certificates")}</h3>
             <p>${_("Specify a course title to use on the certificate if the course's official title is too long to be displayed well.")}</p>
             <p>${_("For verified certificates, specify between one and four signatories and upload the associated images.")}</p>
-            <p>${_("To edit or delete a certificate before it is activated, hover over the top right corner of the form and select {em_start}Edit{em_end} or the delete icon.").format(em_start="<strong>", em_end="</strong>")}</p>
-            <p>${_("To view a sample certificate, choose a course mode and select {em_start}Preview Certificate{em_end}.").format(em_start='<strong>', em_end="</strong>")}</p>
+            <p>${Text(_("To edit or delete a certificate before it is activated, hover over the top right corner of the form and select {em_start}Edit{em_end} or the delete icon.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
+            <p>${Text(_("To view a sample certificate, choose a course mode and select {em_start}Preview Certificate{em_end}.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
 
             <h3 class="title-3">${_("Issuing Certificates to Learners")}</h3>
-            <p>${_("To begin issuing course certificates, a course team member with either the Staff or Admin role selects {em_start}Activate{em_end}. Only course team members with these roles can edit or delete an activated certificate.").format(em_start="<strong>", em_end="</strong>")}</p>
-            <p>${_("{em_start}Do not{em_end} delete certificates after a course has started; learners who have already earned certificates will no longer be able to access them.").format(em_start="<strong>", em_end="</strong>")}</p>
+            <p>${Text(_("To begin issuing course certificates, a course team member with either the Staff or Admin role selects {em_start}Activate{em_end}. Only course team members with these roles can edit or delete an activated certificate.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
+            <p>${Text(_("{em_start}Do not{em_end} delete certificates after a course has started; learners who have already earned certificates will no longer be able to access them.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
             <p><a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about certificates")}</a></p>
           </div>
         </div>

cms/templates/js/certificate-web-preview.underscore

-<label for="course-modes"><%= gettext("Choose mode") %></label>
+<label for="course-modes"><%- gettext("Choose mode") %></label>
 <select id="course-modes">
 <% _.each(course_modes, function(course_mode) { %>
-     <option value= "<%= course_mode %>"><%= course_mode %></option>
+     <option value= "<%- course_mode %>"><%- course_mode %></option>
 <% }); %>
 </select>
-<a href=<%= certificate_web_view_url %> class="button preview-certificate-link" target="_blank">
-    <%= gettext("Preview Certificate") %>
+<a href=<%- certificate_web_view_url %> class="button preview-certificate-link" target="_blank">
+    <%- gettext("Preview Certificate") %>
 </a>
 <button class="button activate-cert">
     <span>
     <% if(!is_active) { %>
-        <%= gettext("Activate") %></span>
+        <%- gettext("Activate") %></span>
     <% } else { %>
-        <%= gettext("Deactivate") %></span>
+        <%- gettext("Deactivate") %></span>
     <% } %>
 </button>