Merge pull request #223 from edx/IM/security-fixes-12

Incident Management Security Fixes 12

cms/templates/js/metadata-number-entry.underscore

@@ -1,8 +1,8 @@
 <div class="wrapper-comp-setting">
-	<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name') %></label>
-	<input class="input setting-input setting-input-number" type="number" id="<%= uniqueId %>" value='<%= model.get("value") %>'/>
-    <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
-        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
+	<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name') %></label>
+	<input class="input setting-input setting-input-number" type="number" id="<%- uniqueId %>" value='<%- model.get("value") %>'/>
+    <button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
+        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
     </button>
 </div>
-<span class="tip setting-help"><%= model.get('help') %></span>
+<span class="tip setting-help"><%- model.get('help') %></span>

cms/templates/js/video/transcripts/messages/transcripts-choose.underscore

@@ -1,17 +1,17 @@
 <div class="transcripts-message-status status-error">
     <span class="icon fa fa-remove" aria-hidden="true"></span>
-    <%= gettext("Timed Transcript Conflict") %>
+    <%- gettext("Timed Transcript Conflict") %>
 </div>
 
 <p class="transcripts-message">
-    <%= gettext("The timed transcript for the first video file does not appear to be the same as the timed transcript for the second video file.") %>
+    <%- gettext("The timed transcript for the first video file does not appear to be the same as the timed transcript for the second video file.") %>
     <strong>
-        <%= gettext("Which timed transcript would you like to use?") %>
+        <%- gettext("Which timed transcript would you like to use?") %>
     </strong>
 </p>
 
 <p class="transcripts-error-message is-invisible">
-    <%= gettext("Error.") %>
+    <%- gettext("Error.") %>
 </p>
 
 <div class="wrapper-transcripts-buttons">
@@ -28,12 +28,12 @@
             class="action setting-choose"
             type="button"
             name="setting-choose"
-            data-video-id="<%= value %>"
-            value="<%= message %>"
-            data-tooltip="<%= message %>"
+            data-video-id="<%- value %>"
+            value="<%- message %>"
+            data-tooltip="<%- message %>"
         >
             <span>
-                <%= message %>
+                <%= message %> <% // xss-lint: disable=underscore-not-escaped %>
             </span>
         </button>
     <% }) %>

cms/templates/js/video/transcripts/messages/transcripts-found.underscore

@@ -1,16 +1,16 @@
-<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%= gettext("Timed Transcript Found") %></div>
+<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%- gettext("Timed Transcript Found") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX has a timed transcript for this video. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript. If you want to replace this transcript, upload a new .srt transcript file.") %>
+<%- gettext("EdX has a timed transcript for this video. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript. If you want to replace this transcript, upload a new .srt transcript file.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New .srt Transcript") %>">
-        <span><%= gettext("Upload New Transcript") %></span>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New .srt Transcript") %>">
+        <span><%- gettext("Upload New Transcript") %></span>
     </button>
-    <a class="action setting-download" href="/transcripts/download?locator=<%= component_locator %>" data-tooltip="<%= gettext("Download Transcript for Editing") %>">
-        <span><%= gettext("Download Transcript for Editing") %></span>
+    <a class="action setting-download" href="/transcripts/download?locator=<%- component_locator %>" data-tooltip="<%- gettext("Download Transcript for Editing") %>">
+        <span><%- gettext("Download Transcript for Editing") %></span>
     </a>
 </div>

common/lib/xmodule/xmodule/block_metadata_utils.py

@@ -6,6 +6,8 @@ allows us to share code between the XModuleMixin and CourseOverview and
 BlockStructure.
 """
 
+from markupsafe import escape
+
 
 def url_name_for_block(block):
     """
@@ -77,4 +79,4 @@ def display_name_with_default_escaped(block):
     # This escaping is incomplete.  However, rather than switching this to use
     # markupsafe.escape() and fixing issues, better to put that energy toward
     # migrating away from this method altogether.
-    return display_name_with_default(block).replace('<', '&lt;').replace('>', '&gt;')
+    return escape(display_name_with_default(block))