Fix Python false positives with AST.

- Use AST to parse Python.
- Refactor Mako to use Python linting.
- Add optional verbose script argument.
- Skip tests.py files when linting.

openedx/core/djangolib/markup.py

@@ -26,9 +26,9 @@ def HTML(html):                                 # pylint: disable=invalid-name
         from openedx.core.djangolib.markup import Text, HTML
         %>
         ${Text(_("Write & send {start}email{end}")).format(
-            start=HTML("<a href='mailto:{}'>".format(user.email),
+            start=HTML("<a href='mailto:{}'>").format(user.email),
             end=HTML("</a>"),
-           )}
+        )}
 
     """
     return markupsafe.Markup(html)

scripts/safe-commit-linter.sh

@@ -18,6 +18,10 @@ show_help() {
     echo "  -m, --main-branch=COMMIT    Run against files changed between the"
     echo "                              current branch and this commit."
     echo "                              Defaults to origin/master."
+    echo ""
+    echo "For additional help:"
+    echo "  http://edx.readthedocs.org/projects/edx-developer-guide/en/latest/conventions/safe_templates.html#safe-template-linter"
+
 }
 
 for i in "$@"; do

scripts/tests/templates/test.py

+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# Testing encoding on second line does not cause violation
 message = "<script>alert('XSS');</script>"
 x = "<string>{}</strong>".format(message)