Merge pull request #11894 from edx/schen/xss-fix-dashboard-course-upsell

Escape properly the elements on the dashboard xseries upsell template

lms/templates/dashboard/_dashboard_certificate_information.html

+<%page expression_filter="h"/>
 <%page args="cert_status, course_overview, enrollment" />
 
 <%!
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
 from course_modes.models import CourseMode
 %>
 <%namespace name='static' file='../static_content.html'/>
@@ -41,11 +43,11 @@ else:
       ${"{0:.0f}%".format(float(course_overview.lowest_passing_grade)*100)}</span>.
     % elif cert_status['status'] == 'restricted' and enrollment.mode == 'verified':
     <p class="message-copy">
-      ${_("Your verified {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}. If you would like a refund on your {cert_name_long}, please contact our billing address {billing_email}").format(email='<a class="contact-link" href="mailto:{email}">{email}</a>.'.format(email=settings.CONTACT_EMAIL), billing_email='<a class="contact-link" href="mailto:{email}">{email}</a>'.format(email=settings.PAYMENT_SUPPORT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
+      ${Text(_("Your verified {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}. If you would like a refund on your {cert_name_long}, please contact our billing address {billing_email}")).format(email=HTML('<a class="contact-link" href="mailto:{email}">{email}</a>.').format(email=settings.CONTACT_EMAIL), billing_email=HTML('<a class="contact-link" href="mailto:{email}">{email}</a>').format(email=settings.PAYMENT_SUPPORT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
     </p>
     % elif cert_status['status'] == 'restricted':
     <p class="message-copy">
-      ${_("Your {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}.").format(email='<a class="contact-link" href="mailto:{email}">{email}</a>.'.format(email=settings.CONTACT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
+      ${Text(_("Your {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}.")).format(email=HTML('<a class="contact-link" href="mailto:{email}">{email}</a>.').format(email=settings.CONTACT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
     </p>
     % endif
   </p>
@@ -91,7 +93,7 @@ else:
       <li class="action action-share">
         <a class="action-linkedin-profile" target="_blank" href="${cert_status['linked_in_url']}"
          title="${_('Add Certificate to LinkedIn Profile')}"
-         data-course-id="${unicode(course_overview.id)}"
+         data-course-id="${course_overview.id}"
          data-certificate-mode="${cert_status['mode']}"
         >
           <img class="action-linkedin-profile-img"

lms/templates/dashboard/_dashboard_info_language.html

-<%! from django.utils.translation import ugettext as _ %>
-
-<%namespace name='static' file='../static_content.html'/>
-
-<li class="status status-language">
-  <span class="title status-title">
-    ${_("Preferred Language")}
-    (<a href="#change_language" rel="leanModal" class="edit-language">${_("edit")}</a>)
-  </span>
-  <span class="data">${current_language}</span>
-</li>

lms/templates/dashboard/_dashboard_xseries_info.html

+<%page expression_filter="h"/>
 <%page args="program_data, enrollment_mode, display_category" />
 <%!
     from django.utils.translation import ugettext as _
+    from openedx.core.djangolib.markup import Text, HTML
 %>
 <%namespace name='static' file='../static_content.html'/>
     <div class="message message-status is-shown credit-message">
@@ -10,10 +12,10 @@
                     ${_("{category} Program: Interested in more courses in this subject?").format(category=display_category)}
                 </p>
                 <p class="message-copy">
-                    ${_("This course is 1 of {course_count} courses in the {link_start}{program_display_name}{link_end} {program_category}.").format(
+                    ${Text(_("This course is 1 of {course_count} courses in the {link_start}{program_display_name}{link_end} {program_category}.")).format(
                         course_count=program_data['course_count'],
-                        link_start='<a href="{}">'.format(program_data['program_marketing_url']),
-                        link_end='</a>',
+                        link_start=HTML('<a href="{}">').format(program_data['program_marketing_url']),
+                        link_end=HTML('</a>'),
                         program_display_name=program_data['display_name'],
                         program_category=display_category,
                     )}