Making templates more safe from XSS

cms/templates/import.html

+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()">
 <% 
@@ -10,6 +11,7 @@ else:
 <%namespace name='static' file='static_content.html'/>
 <%!
   from django.utils.translation import ugettext as _
+  from openedx.core.djangolib.markup import Text, HTML
   from openedx.core.djangolib.js_utils import (
       dump_js_escaped_json, js_escaped_string
   )
@@ -44,11 +46,11 @@ else:
       <div class="introduction">
         ## Translators: ".tar.gz" is a file extension, and files with that extension are called "gzipped tar files": these terms should not be translated
         %if library:
-            <p>${_("Be sure you want to import a library before continuing. The contents of the imported library will replace the contents of the existing library. {em_start}You cannot undo a library import{em_end}. Before you proceed, we recommend that you export the current library, so that you have a backup copy of it.").format(em_start='<strong>', em_end="</strong>")}</p>
+            <p>${Text(_("Be sure you want to import a library before continuing. The contents of the imported library will replace the contents of the existing library. {em_start}You cannot undo a library import{em_end}. Before you proceed, we recommend that you export the current library, so that you have a backup copy of it.")).format(em_start=HTML('<strong>'), em_end=HTML('</strong>'))}</p>
             <p>${_("The library that you import must be in a .tar.gz file (that is, a .tar file compressed with GNU Zip). This .tar.gz file must contain a library.xml file. It may also contain other files.")}</p>
             <p>${_("The import process has five stages. During the first two stages, you must stay on this page. You can leave this page after the Unpacking stage has completed. We recommend, however, that you don't make important changes to your library until the import operation has completed.")}</p>
         %else:
-            <p>${_("Be sure you want to import a course before continuing. The contents of the imported course will replace the contents of the existing course. {em_start}You cannot undo a course import{em_end}. Before you proceed, we recommend that you export the current course, so that you have a backup copy of it.").format(em_start='<strong>', em_end="</strong>")}</p>
+            <p>${Text(_("Be sure you want to import a course before continuing. The contents of the imported course will replace the contents of the existing course. {em_start}You cannot undo a course import{em_end}. Before you proceed, we recommend that you export the current course, so that you have a backup copy of it.")).format(em_start=HTML('<strong>'), em_end=HTML('</strong>'))}</p>
             <p>${_("The course that you import must be in a .tar.gz file (that is, a .tar file compressed with GNU Zip). This .tar.gz file must contain a course.xml file. It may also contain other files.")}</p>
             <p>${_("The import process has five stages. During the first two stages, you must stay on this page. You can leave this page after the Unpacking stage has completed. We recommend, however, that you don't make important changes to your course until the import operation has completed.")}</p>
         %endif

cms/templates/register.html

+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "register" %></%def>
 <%!
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
 from django.core.urlresolvers import reverse
 %>
 
@@ -67,14 +69,17 @@ from django.core.urlresolvers import reverse
             <li class="field checkbox required" id="field-tos">
               <input id="tos" name="terms_of_service" type="checkbox" value="true" />
               <label for="tos">
-                ${_("I agree to the {a_start} Terms of Service {a_end}").format(a_start='<a data-rel="edx.org" href="{}">'.format(marketing_link('TOS')), a_end="</a>")}
+                ${Text(_("I agree to the {a_start} Terms of Service {a_end}")).format(
+                    a_start=HTML('<a data-rel="edx.org" href="{}">').format(marketing_link('TOS')),
+                    a_end=HTML("</a>")
+                  )}
               </label>
             </li>
           </ol>
         </fieldset>
 
         <div class="form-actions">
-          <button type="submit" id="submit" name="submit" class="action action-primary">${_("Create My Account &amp; Start Authoring Courses")}</button>
+          <button type="submit" id="submit" name="submit" class="action action-primary">${_("Create My Account & Start Authoring Courses")}</button>
         </div>
 
         <!-- no honor code for CMS, but need it because we're using the lms student object -->

lms/templates/courseware/course_about_sidebar_header.html

+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
 <%!
 from django.utils.translation import ugettext as _
@@ -20,7 +21,7 @@ from django.conf import settings
         ## Twitter account. {url} should appear at the end of the text.
         tweet_text = _("I just enrolled in {number} {title} through {account}: {url}").format(
             number=course.number,
-            title=course.display_name_with_default_escaped,
+            title=course.display_name_with_default,
             account=static.get_value('course_about_twitter_account', settings.PLATFORM_TWITTER_ACCOUNT),
             url=u"http://{domain}{path}".format(
                 domain=site_domain,
@@ -35,7 +36,7 @@ from django.conf import settings
             subject=_("Take a course with {platform} online").format(platform=platform_name),
             body=_("I just enrolled in {number} {title} through {platform} {url}").format(
                 number=course.number,
-                title=course.display_name_with_default_escaped,
+                title=course.display_name_with_default,
                 platform=platform_name,
                 url=u"http://{domain}{path}".format(
                     domain=site_domain,

lms/templates/courseware/course_updates.html

-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%!
+    from django.utils.translation import ugettext as _
+    from openedx.core.djangolib.markup import HTML
+%>
 <section>
 <div class="recent-updates">
   % for index, update in enumerate(visible_updates):
@@ -15,7 +19,7 @@
         ></button>
       % endif
       <div class="toggle-visibility-element article-content ${'hidden' if index >= 1 else ''}" id="msg-content-${index}">
-        ${update.get("content")}
+        ${HTML(update.get("content"))}
       </div>
     </article>
   % endfor
@@ -43,7 +47,7 @@
           aria-controls="msg-content-${index + len(visible_updates)}"
           aria-expanded="false"
       ></button>
-      <div class="toggle-visibility-element article-content hidden" id="msg-content-${index + len(visible_updates)}">${update.get("content")}</div>
+      <div class="toggle-visibility-element article-content hidden" id="msg-content-${index + len(visible_updates)}">${HTML(update.get("content"))}</div>
     </article>
   % endfor
 </div>

lms/templates/courseware/date_summary.html

+<%page expression_filter="h"/>
 <div class="date-summary-container">
     <div class="date-summary date-summary-${css_class}">
         % if title:

lms/templates/problem_ajax.html

-<div id="problem_${element_id}" class="problems-wrapper" data-problem-id="${id}" data-url="${ajax_url}" data-progress_status="${progress_status}" data-progress_detail="${progress_detail}" data-content="${content | h}"></div>
+<%page expression_filter="h"/>
+<div id="problem_${element_id}" class="problems-wrapper" data-problem-id="${id}" data-url="${ajax_url}" data-progress_status="${progress_status}" data-progress_detail="${progress_detail}" data-content="${content}"></div>
\ No newline at end of file