diff --git a/cms/templates/js/metadata-number-entry.underscore b/cms/templates/js/metadata-number-entry.underscore index 8621ab528c..7f8572e1e8 100644 --- a/cms/templates/js/metadata-number-entry.underscore +++ b/cms/templates/js/metadata-number-entry.underscore @@ -1,8 +1,8 @@
- - -
-<%= model.get('help') %> +<%- model.get('help') %> diff --git a/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore b/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore index d626443964..f7ae0a4c21 100644 --- a/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore +++ b/cms/templates/js/video/transcripts/messages/transcripts-choose.underscore @@ -1,17 +1,17 @@
- <%= gettext("Timed Transcript Conflict") %> + <%- gettext("Timed Transcript Conflict") %>

- <%= gettext("The timed transcript for the first video file does not appear to be the same as the timed transcript for the second video file.") %> + <%- gettext("The timed transcript for the first video file does not appear to be the same as the timed transcript for the second video file.") %> - <%= gettext("Which timed transcript would you like to use?") %> + <%- gettext("Which timed transcript would you like to use?") %>

@@ -28,12 +28,12 @@ class="action setting-choose" type="button" name="setting-choose" - data-video-id="<%= value %>" - value="<%= message %>" - data-tooltip="<%= message %>" + data-video-id="<%- value %>" + value="<%- message %>" + data-tooltip="<%- message %>" > - <%= message %> + <%= message %> <% // xss-lint: disable=underscore-not-escaped %> <% }) %> diff --git a/cms/templates/js/video/transcripts/messages/transcripts-found.underscore b/cms/templates/js/video/transcripts/messages/transcripts-found.underscore index a803a453f7..e42706953b 100644 --- a/cms/templates/js/video/transcripts/messages/transcripts-found.underscore +++ b/cms/templates/js/video/transcripts/messages/transcripts-found.underscore @@ -1,16 +1,16 @@ -
<%= gettext("Timed Transcript Found") %>
+
<%- gettext("Timed Transcript Found") %>

-<%= gettext("EdX has a timed transcript for this video. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript. If you want to replace this transcript, upload a new .srt transcript file.") %> +<%- gettext("EdX has a timed transcript for this video. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript. If you want to replace this transcript, upload a new .srt transcript file.") %>

- - "> - <%= gettext("Download Transcript for Editing") %> + "> + <%- gettext("Download Transcript for Editing") %>
diff --git a/common/lib/xmodule/xmodule/block_metadata_utils.py b/common/lib/xmodule/xmodule/block_metadata_utils.py index acc29055b8..8db6e37bc2 100644 --- a/common/lib/xmodule/xmodule/block_metadata_utils.py +++ b/common/lib/xmodule/xmodule/block_metadata_utils.py @@ -6,6 +6,8 @@ allows us to share code between the XModuleMixin and CourseOverview and BlockStructure. """ +from markupsafe import escape + def url_name_for_block(block): """ @@ -77,4 +79,4 @@ def display_name_with_default_escaped(block): # This escaping is incomplete. However, rather than switching this to use # markupsafe.escape() and fixing issues, better to put that energy toward # migrating away from this method altogether. - return display_name_with_default(block).replace('<', '<').replace('>', '>') + return escape(display_name_with_default(block))