Update escaping and safe-templating usage

lms/templates/provider/authorize.html

@@ -1,9 +1,12 @@
 ## mako
 
+<%page expression_filter="h"/>
+
 <%!
 from django.utils.translation import ugettext as _
 from provider.templatetags.scope import scopes
 from django.core.urlresolvers import reverse
+from openedx.core.djangolib.markup import Text, HTML
 %>
 
 <%inherit file="../main.html"/>
@@ -14,9 +17,11 @@ from django.core.urlresolvers import reverse
 <div class="authorization-confirmation">
   % if not error:
   <p>
-  ${_("\n    <strong>{application_name}</strong> would like to access your data with the following permissions:\n  ".format(
-    application_name=client.name
-  ))}
+  ${Text(_("{start_strong}{application_name}{end_strong} would like to access your data with the following permissions:")).format(
+    start_strong=HTML("<strong>"),
+    application_name=client.name,
+    end_strong=HTML("</strong>")
+  )}
   </p>
   <ul>
     % for permission in scopes(oauth_data['scope']):
@@ -34,7 +39,7 @@ from django.core.urlresolvers import reverse
       % elif permission == "permissions":
         ${_("To see if you are a global staff user")}
       % else:
-        ${_("Manage your data: {permission}".format(permission=permission))}
+        ${_("Manage your data: {permission}").format(permission=permission)}
       % endif
     </li>
     % endfor

lms/templates/registration/password_reset_complete.html

@@ -1,6 +1,11 @@
 ## mako
 
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>
 
 <%inherit file="../main.html"/>
 
@@ -27,9 +32,9 @@
             <div class="status submission-success" aria-live="polite">
                 <h4 class="message-title">${_("Password Reset Complete")}</h4>
                 <ul class="message-copy">
-                ${_(
-                    "Your password has been reset. {start_link}Sign-in to your account.{end_link}"
-                    .format(start_link='<a href="/login">', end_link='</a>')
+                ${Text(_("Your password has been reset. {start_link}Sign-in to your account.{end_link}")).format(
+                    start_link=HTML('<a href="/login">'),
+                    end_link=HTML('</a>')
                 )}
                 </ul>
             </div>

lms/templates/registration/password_reset_confirm.html

@@ -1,11 +1,16 @@
 ## mako
 
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>
 
 <%inherit file="../main.html"/>
 
 <%block name="title">
-    <title>${_("Reset Your {platform_name} Password".format(platform_name=platform_name))}</title>
+    <title>${_("Reset Your {platform_name} Password").format(platform_name=platform_name)}</title>
 </%block>
 
 <%block name="bodyextra">
@@ -18,7 +23,7 @@
 <div id="password-reset-confirm-container" class="login-register">
     <section id="password-reset-confirm-anchor" class="form-type">
         <div id="password-reset-confirm-form" class="form-wrapper" aria-live="polite">
-            <div class="status submission-error ${'hidden' if err_msg is None else ''}">
+            <div class="status submission-error ${'hidden' if not err_msg else ''}">
                 <h4 class="message-title">${_("Error Resetting Password")}</h4>
                 <ul class="message-copy">
                 % if err_msg:
@@ -61,11 +66,16 @@
             <div class="status submission-error">
                 <h4 class="message-title">${_("Invalid Password Reset Link")}</h4>
                 <ul class="message-copy">
-                    ${_((
+                    ${Text(_((
                         "This password reset link is invalid. It may have been used already. To reset your password, "
-                        "go to the {start_link}sign-in{end_link} page and select <strong>Forgot password</strong>."
-                        ).format(start_link='<a href="/login">', end_link='</a>')
-                    )}
+                        "go to the {start_link}sign-in{end_link} page and select {start_strong}Forgot password{end_strong}."
+                        ))).format(
+                            start_link=HTML('<a href="/login">'),
+                            end_link=HTML('</a>'),
+                            start_strong=HTML('<strong>'),
+                            end_strong=HTML('</strong>')
+                        )
+                    }
                 </ul>
             </div>
             % endif

lms/templates/support/refund.html

@@ -1,5 +1,7 @@
 ## mako
 
+<%page expression_filter="h"/>
+
 <%!
 from django.utils.translation import ugettext as _
 from django.utils.html import escape