Make templates safe

lms/templates/instructor/instructor_dashboard_2/add_coupon_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="add-coupon-modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Add Coupon Code')}">
   <div class="inner-wrapper">
     <button class="close-modal">
@@ -48,7 +48,7 @@ from django.core.urlresolvers import reverse
 
             <li class="field" id="add-coupon-modal-field-course_id">
               <label for="coupon_course_id">${_("Course ID")}</label>
-              <input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id'] | h}"
+              <input class="field readonly" id="coupon_course_id" type="text" name="course_id" value="${section_data['course_id']}"
                      readonly aria-required="true"/>
             </li>
             <li class="field full-width" id="add-coupon-modal-field-expiry">

lms/templates/instructor/instructor_dashboard_2/certificate-bulk-white-list.underscore

-<h3><%= gettext("Bulk Exceptions") %></h3>
+<h3><%- gettext("Bulk Exceptions") %></h3>
 <div class="white-list-csv">
     <p class="under-heading">
-     <%= gettext("Upload a comma separated values (.csv) file that contains the usernames or email addresses of learners who have been given exceptions. Include the username or email address in the first comma separated field. You can include an optional note describing the reason for the exception in the second comma separated field.") %>
+     <%- gettext("Upload a comma separated values (.csv) file that contains the usernames or email addresses of learners who have been given exceptions. Include the username or email address in the first comma separated field. You can include an optional note describing the reason for the exception in the second comma separated field.") %>
     </p>
     <form id="bulk-white-list-exception-form" enctype="multipart/form-data">
       <div class="customBrowseBtn">
-        <input disabled="disabled" class="browse-file" placeholder="<%= gettext("Choose File") %>" />
+        <input disabled="disabled" class="browse-file" placeholder="<%- gettext("Choose File") %>" />
         <div class="file-browse btn btn-primary">
-            <span class="browse"> <%= gettext("Browse") %> </span>
+            <span class="browse"> <%- gettext("Browse") %> </span>
             <input class="file_field" id="browseBtn" name="students_list" type="file" accept=".csv"/>
         </div>
       </div>
-      <div><button class="btn-blue disabled upload-csv-button" type="submit"><%= gettext('Add to Exception List') %></button></div>
+      <div><button class="btn-blue disabled upload-csv-button" type="submit"><%- gettext('Add to Exception List') %></button></div>
     </form>
     <div class="bulk-exception-results hidden"></div>
-</div>
+</div>
\ No newline at end of file

lms/templates/instructor/instructor_dashboard_2/certificate-invalidation.underscore

 <p class="under-heading info">
- <%= gettext("To invalidate a certificate for a particular learner, add the username or email address below.") %>
+ <%- gettext("To invalidate a certificate for a particular learner, add the username or email address below.") %>
 </p>
 
 <div class="add-certificate-invalidation">
-    <input class='student-username-or-email' id="certificate-invalidation-user" type="text" placeholder="<%= gettext('Username or email address') %>" aria-describedby='student-user-name-or-email-tip'>
-    <textarea class='notes-field' id="certificate-invalidation-notes" rows="10" placeholder="<%= gettext('Add notes about this learner') %>" aria-describedby='notes-field-tip'></textarea>
+    <input class='student-username-or-email' id="certificate-invalidation-user" type="text" placeholder="<%- gettext('Username or email address') %>" aria-describedby='student-user-name-or-email-tip'>
+    <textarea class='notes-field' id="certificate-invalidation-notes" rows="10" placeholder="<%- gettext('Add notes about this learner') %>" aria-describedby='notes-field-tip'></textarea>
     <br/>
-    <button type="button" class="btn-blue" id="invalidate-certificate"><%= gettext('Invalidate Certificate') %></button>
+    <button type="button" class="btn-blue" id="invalidate-certificate"><%- gettext('Invalidate Certificate') %></button>
 </div>
 
 <div class="message hidden"></div>
@@ -18,11 +18,11 @@
         <table>
             <thead>
                 <tr>
-                    <th class='user-name'><%= gettext('Student') %></th>
-                    <th class='user-name'><%= gettext('Invalidated By') %></th>
-                    <th class='date'><%= gettext('Invalidated') %></th>
-                    <th class='notes'><%= gettext('Notes') %></th>
-                    <th class='action'><%= gettext('Action') %></th>
+                    <th class='user-name'><%- gettext('Student') %></th>
+                    <th class='user-name'><%- gettext('Invalidated By') %></th>
+                    <th class='date'><%- gettext('Invalidated') %></th>
+                    <th class='notes'><%- gettext('Notes') %></th>
+                    <th class='action'><%- gettext('Action') %></th>
                 </tr>
             </thead>
             <tbody>

lms/templates/instructor/instructor_dashboard_2/certificate-white-list-editor.underscore

-<h3><%= gettext("Individual Exceptions") %></h3>
-<p class="under-heading"> <%= gettext("Enter the username or email address of each learner that you want to add as an exception.") %></p>
+<h3><%- gettext("Individual Exceptions") %></h3>
+<p class="under-heading"> <%- gettext("Enter the username or email address of each learner that you want to add as an exception.") %></p>
 <div class='certificate-exception-inputs'>
     <div class="">
     <input class='student-username-or-email' id="certificate-exception" type="text" placeholder="Student email or username" aria-describedby='student-user-name-or-email-tip'>
     <textarea class='notes-field' id="notes" rows="10" placeholder="Free text notes" aria-describedby='notes-field-tip'></textarea>
     </div>
     <div>
-        <button type="button" class="btn-blue" id="add-exception" ><%= gettext("Add to Exception List") %> </button>
+        <button type="button" class="btn-blue" id="add-exception" ><%- gettext("Add to Exception List") %> </button>
     </div>
     <div class='message hidden'></div>
 </div>

lms/templates/instructor/instructor_dashboard_2/certificate-white-list.underscore

-<h3><%= gettext("Generate Exception Certificates") %></h3>
+<h3><%- gettext("Generate Exception Certificates") %></h3>
 <p class="under-heading">
 <label>
     <input type='radio' name='generate-exception-certificates-radio' checked="checked" value='new' aria-describedby='generate-exception-certificates-radio-new-tip'>
@@ -10,7 +10,7 @@
     <span id='generate-exception-certificates-radio-all-tip'><%- gettext('Generate a Certificate for all users on the Exception list') %></span>
 </label>
 </p>
-<button id="generate-exception-certificates" class="btn-blue" type="button"><%= gettext('Generate Exception Certificates') %></button>
+<button id="generate-exception-certificates" class="btn-blue" type="button"><%- gettext('Generate Exception Certificates') %></button>
 <br/>
 <% if (certificates.length === 0) { %>
     <p><%- gettext("No results") %></p>

lms/templates/instructor/instructor_dashboard_2/certificates.html

+<%page args="section_data" expression_filter="h"/>
 <%namespace name='static' file='../../static_content.html'/>
 
-<%! from django.utils.translation import ugettext as _
-import json
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import dump_js_escaped_json, js_escaped_string
 %>
 
 <%static:require_module module_name="js/certificates/factories/certificate_whitelist_factory" class_name="CertificateWhitelistFactory">
-        CertificateWhitelistFactory('${json.dumps(certificate_white_list)}', "${generate_certificate_exceptions_url}", "${certificate_exception_view_url}", "${generate_bulk_certificate_exceptions_url}");
+        CertificateWhitelistFactory('${certificate_white_list | n, dump_js_escaped_json}', '${generate_certificate_exceptions_url | n, js_escaped_string}', '${certificate_exception_view_url | n, js_escaped_string}', '${generate_bulk_certificate_exceptions_url | n, js_escaped_string}');
 </%static:require_module>
 
 <%static:require_module module_name="js/certificates/factories/certificate_invalidation_factory" class_name="CertificateInvalidationFactory">
-        CertificateInvalidationFactory('${json.dumps(certificate_invalidations)}', '${certificate_invalidation_view_url}');
+        CertificateInvalidationFactory('${certificate_invalidations | n, dump_js_escaped_json}', '${certificate_invalidation_view_url | n, js_escaped_string}');
 </%static:require_module>
 
-<%page args="section_data"/>
 <div class="certificates-wrapper">
 
     <div class="example-certificates">

lms/templates/instructor/instructor_dashboard_2/e-commerce.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from datetime import datetime, timedelta
+from openedx.core.djangolib.js_utils import js_escaped_string
 import pytz
 %>
-<%page args="section_data"/>
 <%include file="add_coupon_modal.html" args="section_data=section_data" />
 <%include file="edit_coupon_modal.html" args="section_data=section_data" />
 <%include file="set_course_mode_price_modal.html" args="section_data=section_data" />
@@ -239,7 +240,7 @@ import pytz
 
          $.ajax({
          type: "POST",
-         url: "${section_data['get_user_invoice_preference_url']}",
+         url: "${section_data['get_user_invoice_preference_url'] | n, js_escaped_string}",
          success: function (data) {
              $('#invoice-copy').prop('checked', data.invoice_copy);
              $('#registration_code_generation_link-trigger').click();
@@ -255,13 +256,13 @@ import pytz
          }
          if($('#invoice_number').val() == "") {
                      $('#error-msg').attr('class','error-msgs')
-                     $('#error-msg').html("${_('The Invoice Number field cannot be empty.')}").show();
+                     $('#error-msg').html("${_('The Invoice Number field cannot be empty.') | n, h, js_escaped_string}").show();
                      return
          }
          $.ajax({
              type: "POST",
              data: {invoice_number: $('#invoice_number').val(), event_type:event_type},
-             url: "${section_data['sale_validation_url']}",
+             url: "${section_data['sale_validation_url'] | n, js_escaped_string}",
              success: function (data) {
                  $('#error-msg').attr('class','success-msgs')
                  $('#error-msg').html(data.message).show();
@@ -287,7 +288,7 @@ import pytz
        $.ajax({
          type: "POST",
          data: {id: coupon_id},
-         url: "${section_data['ajax_get_coupon_info']}",
+         url: "${section_data['ajax_get_coupon_info'] | n, js_escaped_string}",
          success: function (data) {
              $('#error-msg').val('');
              $('#error-msg').hide()
@@ -299,7 +300,7 @@ import pytz
                  $('input#edit_coupon_expiration_date').val(data.expiry_date);
              }
              else {
-                $('input#edit_coupon_expiration_date').val("${_('No Expiration Date')}");
+                $('input#edit_coupon_expiration_date').val("${_('No Expiration Date') | n, js_escaped_string}");
              }
              $('#edit-modal-trigger').click();
            },
@@ -323,7 +324,7 @@ import pytz
        $.ajax({
          type: "POST",
          data: {id: $(this).data('item-id')},
-         url: "${section_data['ajax_remove_coupon_url']}",
+         url: "${section_data['ajax_remove_coupon_url'] | n, js_escaped_string}",
          success: function (data) {
              anchor.removeData("disabled");
              location.reload(true);
@@ -359,91 +360,91 @@ import pytz
 
       if (company_name == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the company name.')}");
+        registration_code_error.text("${_('Enter the company name.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (($.isNumeric(company_name))) {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('The company name cannot be a number.')}");
+        registration_code_error.text("${_('The company name cannot be a number.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (company_contact_name == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the company contact name.')}");
+        registration_code_error.text("${_('Enter the company contact name.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (($.isNumeric(company_contact_name))) {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('The company contact name cannot be a number.')}");
+        registration_code_error.text("${_('The company contact name cannot be a number.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (company_contact_email == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the email address for the company contact.')}");
+        registration_code_error.text("${_('Enter the email address for the company contact.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (!(validateEmail(company_contact_email))) {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter a valid email address.')}");
+        registration_code_error.text("${_('Enter a valid email address.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (recipient_name == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the recipient name.')}");
+        registration_code_error.text("${_('Enter the recipient name.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (($.isNumeric(recipient_name))) {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('The recipient name cannot be a number.')}");
+        registration_code_error.text("${_('The recipient name cannot be a number.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (recipient_email == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the recipient email address.')}");
+        registration_code_error.text("${_('Enter the recipient email address.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (!(validateEmail(recipient_email))) {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter a valid email address.')}");
+        registration_code_error.text("${_('Enter a valid email address.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (address_line == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the billing address.')}");
+        registration_code_error.text("${_('Enter the billing address.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
       if (unit_price == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the price per course seat.')}");
+        registration_code_error.text("${_('Enter the price per course seat.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false
       }
       if (!($.isNumeric(unit_price))) {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter a numeric value for the price per course seat. Do not include currency symbols.')}");
+        registration_code_error.text("${_('Enter a numeric value for the price per course seat. Do not include currency symbols.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false
       }
       if (total_registration_codes == '') {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter the number of enrollment codes.')}");
+        registration_code_error.text("${_('Enter the number of enrollment codes.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false
       }
       if (!($.isNumeric(total_registration_codes))) {
         registration_code_error.attr('style', 'display: block !important');
-        registration_code_error.text("${_('Enter a numeric value for the number of enrollment codes.')}");
+        registration_code_error.text("${_('Enter a numeric value for the number of enrollment codes.') | n, js_escaped_string}");
         generate_registration_button.removeAttr('disabled');
         return false;
       }
@@ -464,7 +465,7 @@ import pytz
            "coupon_id"  : coupon_id,
            "description": description
          },
-         url: "${section_data['ajax_update_coupon']}",
+         url: "${section_data['ajax_update_coupon'] | n, js_escaped_string}",
          success: function (data) {
              location.reload(true);
            },
@@ -498,19 +499,19 @@ import pytz
        // Check if empty of not
        if (course_price === '') {
          $('#set_price_form #course_form_error').attr('style', 'display: block !important');
-         $('#set_price_form #course_form_error').text("${_('Enter the price per course seat.')}");
+         $('#set_price_form #course_form_error').text("${_('Enter the price per course seat.') | n, js_escaped_string}");
          $("#set_course_button").removeAttr('disabled');
          return false;
        }
        if (!$.isNumeric(course_price)) {
          $("#set_course_button").removeAttr('disabled');
          $('#set_price_form #course_form_error').attr('style', 'display: block !important');
-         $('#set_price_form #course_form_error').text("${_('Enter a numeric value for the price per course seat. Do not include currency symbols.')}");
+         $('#set_price_form #course_form_error').text("${_('Enter a numeric value for the price per course seat. Do not include currency symbols.') | n, js_escaped_string}");
          return false;
        }
        if (currency == '') {
          $('#set_price_form #course_form_error').attr('style', 'display: block !important');
-         $('#set_price_form #course_form_error').text("${_('Select a currency.')}");
+         $('#set_price_form #course_form_error').text("${_('Select a currency.') | n, js_escaped_string}");
          $("#set_course_button").removeAttr('disabled');
          return false;
        }
@@ -520,7 +521,7 @@ import pytz
            "course_price"  : course_price,
            "currency": currency
          },
-         url: "${section_data['set_course_mode_url']}",
+         url: "${section_data['set_course_mode_url'] | n, js_escaped_string}",
          success: function (data) {
              location.reload(true);
            },
@@ -545,19 +546,19 @@ import pytz
        if (code === '') {
          $("#add_coupon_button").removeAttr('disabled');
          $('#add_coupon_form #coupon_form_error').attr('style', 'display: block !important');
-         $('#add_coupon_form #coupon_form_error').text("${_('Enter a coupon code.')}");
+         $('#add_coupon_form #coupon_form_error').text("${_('Enter a coupon code.') | n, js_escaped_string}");
          return false;
        }
        if (parseInt(coupon_discount) > 100) {
          $('#add_coupon_form #coupon_form_error').attr('style', 'display: block !important');
-         $('#add_coupon_form #coupon_form_error').text("${_('The discount percentage must be less than or equal to 100.')}");
+         $('#add_coupon_form #coupon_form_error').text("${_('The discount percentage must be less than or equal to 100.') | n, js_escaped_string}");
          $("#add_coupon_button").removeAttr('disabled');
          return false;
        }
        if (!$.isNumeric(coupon_discount)) {
          $("#add_coupon_button").removeAttr('disabled');
          $('#add_coupon_form #coupon_form_error').attr('style', 'display: block !important');
-         $('#add_coupon_form #coupon_form_error').text("${_('Enter a numeric value for the discount amount. Do not include the percent sign.')}");
+         $('#add_coupon_form #coupon_form_error').text("${_('Enter a numeric value for the discount amount. Do not include the percent sign.') | n, js_escaped_string}");
          return false;
        }
        $.ajax({
@@ -569,7 +570,7 @@ import pytz
            "description": description,
            "expiration_date": expiration_date
          },
-         url: "${section_data['ajax_add_coupon']}",
+         url: "${section_data['ajax_add_coupon'] | n, js_escaped_string}",
          success: function (data) {
              location.reload(true);
            },

lms/templates/instructor/instructor_dashboard_2/edit_coupon_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="edit-coupon-modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Edit Coupon Code')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/generate_registarion_codes_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="registration_code_generation_modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Generate Registration Code Modal')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/invalidate_registration_code_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%! from django.core.urlresolvers import reverse %>
-<%page args="section_data"/>
 <section id="invalidate_registration_code_modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Enrollment Code Status')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/send_email.html

-<%! from django.utils.translation import ugettext as _ %>
-<%page args="section_data"/>
+<%page args="section_data" expression_filter="h"/>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML
+%>
 
 <div class="vert-left send-email" id="section-send-email">
   <h2> ${_("Send Email")} </h2>
@@ -34,7 +37,7 @@
   <li class="field">
     <label>${_("Message:")}</label>
       <div class="email-editor">
-      ${ section_data['editor'] }
+      ${ HTML(section_data['editor']) }
       </div>
     <input type="hidden" name="message" value="">
   </li>

lms/templates/instructor/instructor_dashboard_2/set_course_mode_price_modal.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 %>
-<%page args="section_data"/>
 <section id="set-course-mode-price-modal" class="modal" role="dialog" tabindex="-1" aria-label="${_('Set Course Mode Price')}">
   <div class="inner-wrapper">
     <button class="close-modal">

lms/templates/instructor/instructor_dashboard_2/special_exams.html

+<%page args="section_data" expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from datetime import datetime, timedelta
 import pytz
 %>
-<%page args="section_data"/>
 <div class="proctoring-wrapper">
   <div id = "proctoring-accordion">
     <div class="wrap">

lms/templates/instructor/instructor_dashboard_2/student_admin.html

+<%page args="section_data" expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
-<%page args="section_data"/>
 
 <div>
   %if section_data['is_small_course']: