Merge pull request #12051 from edx/attiya/safe-templates

Safe Templates

Merge pull request #12051 from edx/attiya/safe-templates
Safe Templates
fb83cd71 · attiyaIshaque · 74346430 · 002ad84d · fb83cd71 · fb83cd71
Commit fb83cd71 authored Apr 21, 2016 by attiyaIshaque
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 10 deletions

cms/templates/edit-tabs.html
+5 -4

cms/templates/error.html
+7 -6

No files found.
--- a/cms/templates/edit-tabs.html
+++ b/cms/templates/edit-tabs.html
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "pages" %></%def>
 <%namespace name='static' file='static_content.html'/>
@@ -5,7 +6,7 @@
  from django.utils.translation import ugettext as _
  from django.core.urlresolvers import reverse
  from xmodule.tabs import StaticTab
-  from django.template.defaultfilters import escapejs
+  from openedx.core.djangolib.js_utils import js_escaped_string
 %>
 <%block name="title">${_("Pages")}</%block>
 <%block name="bodyclass">is-signedin course view-static-pages</%block>
@@ -20,7 +21,7 @@

 <%block name="requirejs">
    require(["js/factories/edit_tabs"], function (EditTabsFactory) {
-        EditTabsFactory("${context_course.location | escapejs}", "${reverse('contentstore.views.tabs_handler', kwargs={'course_key_string': context_course.id})}");
+        EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('contentstore.views.tabs_handler', kwargs={'course_key_string': context_course.id})}");
    });
 </%block>

@@ -30,7 +31,7 @@
    <h1 class="page-header">
      <small class="subtitle">${_("Content")}</small>
      ## Translators: Pages refer to the tabs that appear in the top navigation of each course.
-      <span class="sr">&gt; </span>${_("Pages")}
+      <span class="sr"> > </span>${_("Pages")}
    </h1>

    <nav class="nav-actions" aria-label="${_('Page Actions')}">
@@ -72,7 +73,7 @@
                %>

                % if isinstance(tab, StaticTab):
-                    <li class="component ${css_class}" data-locator="${tab.locator | h}" data-tab-id="${tab.tab_id | h}"></li>
+                    <li class="component ${css_class}" data-locator="${tab.locator}" data-tab-id="${tab.tab_id}"></li>

                % else:
                    <li class="course-nav-item ${css_class}" data-tab-id="${tab.tab_id}">

--- a/cms/templates/error.html
+++ b/cms/templates/error.html
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%!
 from django.utils.translation import ugettext as _
@@ -22,17 +23,17 @@ help_link_end = '</a>'
  <article class="error-prompt">
    % if error == '404':
      <h1>${_("The Page You Requested Page Cannot be Found")}</h1>
-      <p class="description">${_("We're sorry. We couldn't find the {studio_name} page you're looking for. You may want to return to the {studio_name} Dashboard and try again. If you are still having problems accessing things, please feel free to {link_start}contact {studio_name} support{link_end} for further help.").format(
+      <p class="description">${Text(_("We're sorry. We couldn't find the {studio_name} page you're looking for. You may want to return to the {studio_name} Dashboard and try again. If you are still having problems accessing things, please feel free to {link_start}contact {studio_name} support{link_end} for further help.")).format(
          studio_name=settings.STUDIO_SHORT_NAME,
-          link_start=help_link_start,
-          link_end=help_link_end,
+          link_start=HTML(help_link_start),
+          link_end=HTML(help_link_end),
        )}</p>
    % elif error == '500':
      <h1>${_("The Server Encountered an Error")}</h1>
-      <p class="description">${_("We're sorry. There was a problem with the server while trying to process your last request. You may want to return to the {studio_name} Dashboard or try this request again. If you are still having problems accessing things, please feel free to {link_start}contact {studio_name} support{link_end} for further help.").format(
+      <p class="description">${Text(_("We're sorry. There was a problem with the server while trying to process your last request. You may want to return to the {studio_name} Dashboard or try this request again. If you are still having problems accessing things, please feel free to {link_start}contact {studio_name} support{link_end} for further help.")).format(
          studio_name=settings.STUDIO_SHORT_NAME,
-          link_start=help_link_start,
-          link_end=help_link_end,
+          link_start=HTML(help_link_start),
+          link_end=HTML(help_link_end),
        )}</p>
    % endif
    <a href="/" class="back-button">${_("Back to dashboard")}</a>