Merge pull request #11905 from edx/douglashall/xss_bug_bash

XSS Bug Bash

lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="add-coupon-modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Add Coupon Code')}">
   <div class="inner-wrapper">
     <button class="close-modal">
@@ -48,7 +48,7 @@ from django.core.urlresolvers import reverse
 
             <li class="field" id="add-coupon-modal-field-course_id">
               <label for="coupon_course_id">${_("Course ID")}</label>
-              <input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id'] | h}"
+              <input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id']}"
                      readonly aria-required="true"/>
             </li>
             <li class="field full-width" id="add-coupon-modal-field-expiry">

lms/templates/instructor/instructor_dashboard_2/certificate-bulk-white-list.underscore

-<h3><%= gettext("Bulk Exceptions") %></h3>
+<h3><%- gettext("Bulk Exceptions") %></h3>
 <div class="white-list-csv">
     <p class="under-heading">
-     <%= gettext("Upload a comma separated values (.csv) file that contains the usernames or email addresses of learners who have been given exceptions. Include the username or email address in the first comma separated field. You can include an optional note describing the reason for the exception in the second comma separated field.") %>
+     <%- gettext("Upload a comma separated values (.csv) file that contains the usernames or email addresses of learners who have been given exceptions. Include the username or email address in the first comma separated field. You can include an optional note describing the reason for the exception in the second comma separated field.") %>
     </p>
     <form id="bulk-white-list-exception-form" enctype="multipart/form-data">
       <div class="customBrowseBtn">
-        <input disabled="disabled" class="browse-file" placeholder="<%= gettext("Choose File") %>" />
+        <input disabled="disabled" class="browse-file" placeholder="<%- gettext("Choose File") %>" />
         <div class="file-browse btn btn-primary">
-            <span class="browse"> <%= gettext("Browse") %> </span>
+            <span class="browse"> <%- gettext("Browse") %> </span>
             <input class="file_field" id="browseBtn" name="students_list" type="file" accept=".csv"/>
         </div>
       </div>
-      <div><button class="btn-blue disabled upload-csv-button" type="submit"><%= gettext('Add to Exception List') %></button></div>
+      <div><button class="btn-blue disabled upload-csv-button" type="submit"><%- gettext('Add to Exception List') %></button></div>
     </form>
     <div class="bulk-exception-results hidden"></div>
-</div>
+</div>
\ No newline at end of file

lms/templates/instructor/instructor_dashboard_2/certificate-invalidation.underscore

 <p class="under-heading info">
- <%= gettext("To invalidate a certificate for a particular learner, add the username or email address below.") %>
+ <%- gettext("To invalidate a certificate for a particular learner, add the username or email address below.") %>
 </p>
 
 <div class="add-certificate-invalidation">
-    <input class='student-username-or-email' id="certificate-invalidation-user" type="text" placeholder="<%= gettext('Username or email address') %>" aria-describedby='student-user-name-or-email-tip'>
-    <textarea class='notes-field' id="certificate-invalidation-notes" rows="10" placeholder="<%= gettext('Add notes about this learner') %>" aria-describedby='notes-field-tip'></textarea>
+    <input class='student-username-or-email' id="certificate-invalidation-user" type="text" placeholder="<%- gettext('Username or email address') %>" aria-describedby='student-user-name-or-email-tip'>
+    <textarea class='notes-field' id="certificate-invalidation-notes" rows="10" placeholder="<%- gettext('Add notes about this learner') %>" aria-describedby='notes-field-tip'></textarea>
     <br/>
-    <button type="button" class="btn-blue" id="invalidate-certificate"><%= gettext('Invalidate Certificate') %></button>
+    <button type="button" class="btn-blue" id="invalidate-certificate"><%- gettext('Invalidate Certificate') %></button>
 </div>
 
 <div class="message hidden"></div>
@@ -18,11 +18,11 @@
         <table>
             <thead>
                 <tr>
-                    <th class='user-name'><%= gettext('Student') %></th>
-                    <th class='user-name'><%= gettext('Invalidated By') %></th>
-                    <th class='date'><%= gettext('Invalidated') %></th>
-                    <th class='notes'><%= gettext('Notes') %></th>
-                    <th class='action'><%= gettext('Action') %></th>
+                    <th class='user-name'><%- gettext('Student') %></th>
+                    <th class='user-name'><%- gettext('Invalidated By') %></th>
+                    <th class='date'><%- gettext('Invalidated') %></th>
+                    <th class='notes'><%- gettext('Notes') %></th>
+                    <th class='action'><%- gettext('Action') %></th>
                 </tr>
             </thead>
             <tbody>

lms/templates/instructor/instructor_dashboard_2/certificate-white-list-editor.underscore

-<h3><%= gettext("Individual Exceptions") %></h3>
-<p class="under-heading"> <%= gettext("Enter the username or email address of each learner that you want to add as an exception.") %></p>
+<h3><%- gettext("Individual Exceptions") %></h3>
+<p class="under-heading"> <%- gettext("Enter the username or email address of each learner that you want to add as an exception.") %></p>
 <div class='certificate-exception-inputs'>
     <div class="">
     <input class='student-username-or-email' id="certificate-exception" type="text" placeholder="Student email or username" aria-describedby='student-user-name-or-email-tip'>
     <textarea class='notes-field' id="notes" rows="10" placeholder="Free text notes" aria-describedby='notes-field-tip'></textarea>
     </div>
     <div>
-        <button type="button" class="btn-blue" id="add-exception" ><%= gettext("Add to Exception List") %> </button>
+        <button type="button" class="btn-blue" id="add-exception" ><%- gettext("Add to Exception List") %> </button>
     </div>
     <div class='message hidden'></div>
 </div>

lms/templates/instructor/instructor_dashboard_2/certificate-white-list.underscore

-<h3><%= gettext("Generate Exception Certificates") %></h3>
+<h3><%- gettext("Generate Exception Certificates") %></h3>
 <p class="under-heading">
 <label>
     <input type='radio' name='generate-exception-certificates-radio' checked="checked" value='new' aria-describedby='generate-exception-certificates-radio-new-tip'>
@@ -10,7 +10,7 @@
     <span id='generate-exception-certificates-radio-all-tip'><%- gettext('Generate a Certificate for all users on the Exception list') %></span>
 </label>
 </p>
-<button id="generate-exception-certificates" class="btn-blue" type="button"><%= gettext('Generate Exception Certificates') %></button>
+<button id="generate-exception-certificates" class="btn-blue" type="button"><%- gettext('Generate Exception Certificates') %></button>
 <br/>
 <% if (certificates.length === 0) { %>
     <p><%- gettext("No results") %></p>

lms/templates/instructor/instructor_dashboard_2/certificates.html

+<%page args="section_data" expression_filter="h"/>
 <%namespace name='static' file='../../static_content.html'/>
 
-<%! from django.utils.translation import ugettext as _
-import json
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>
 
 <%static:require_module module_name="js/certificates/factories/certificate_whitelist_factory" class_name="CertificateWhitelistFactory">
-        CertificateWhitelistFactory('${json.dumps(certificate_white_list)}', "${generate_certificate_exceptions_url}", "${certificate_exception_view_url}", "${generate_bulk_certificate_exceptions_url}");
+        CertificateWhitelistFactory('${certificate_white_list | n, dump_js_escaped_json}', '${generate_certificate_exceptions_url | n, js_escaped_string}', '${certificate_exception_view_url | n, js_escaped_string}', '${generate_bulk_certificate_exceptions_url | n, js_escaped_string}');
 </%static:require_module>
 
 <%static:require_module module_name="js/certificates/factories/certificate_invalidation_factory" class_name="CertificateInvalidationFactory">
-        CertificateInvalidationFactory('${json.dumps(certificate_invalidations)}', '${certificate_invalidation_view_url}');
+        CertificateInvalidationFactory('${certificate_invalidations | n, dump_js_escaped_json}', '${certificate_invalidation_view_url | n, js_escaped_string}');
 </%static:require_module>
 
-<%page args="section_data"/>
 <div class="certificates-wrapper">
 
     <div class="example-certificates">

lms/templates/instructor/instructor_dashboard_2/edit_coupon_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="edit-coupon-modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Edit Coupon Code')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/generate_registarion_codes_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="registration_code_generation_modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Generate Registration Code Modal')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/invalidate_registration_code_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%! from django.core.urlresolvers import reverse %>
-<%page args="section_data"/>
 <section id="invalidate_registration_code_modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Enrollment Code Status')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/send_email.html

-<%! from django.utils.translation import ugettext as _ %>
-<%page args="section_data"/>
+<%page args="section_data" expression_filter="h"/>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML
+%>
 
 <div class="vert-left send-email" id="section-send-email">
   <h2> ${_("Send Email")} </h2>
@@ -34,7 +37,7 @@
   <li class="field">
     <label>${_("Message:")}</label>
       <div class="email-editor">
-      ${ section_data['editor'] }
+      ${ HTML(section_data['editor']) }
       </div>
     <input type="hidden" name="message" value="">
   </li>

lms/templates/instructor/instructor_dashboard_2/set_course_mode_price_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="set-course-mode-price-modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Set Course Mode Price')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/special_exams.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from datetime import datetime, timedelta
 import pytz
 %>
-<%page args="section_data"/>
 <div class="proctoring-wrapper">
   <div id = "proctoring-accordion">
     <div class="wrap">

lms/templates/instructor/instructor_dashboard_2/student_admin.html

+<%page args="section_data" expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
-<%page args="section_data"/>
 
 <div>
   %if section_data['is_small_course']: