From 25cf39daa45eec5af3d32d16bd3f34d9a197e024 Mon Sep 17 00:00:00 2001
From: asadazam93 <asadazam93@gmail.com>
Date: Fri, 28 Dec 2018 15:27:02 +0500
Subject: [PATCH] Clean XSS in lms template

---
 AUTHORS                                | 1 +
 openedx/core/djangoapps/debug/views.py | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/AUTHORS b/AUTHORS
index c1d0b68be2..6105687e8c 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -290,3 +290,4 @@ Matt Tuchfarber <mtuchfarber@edx.org>
 Stuart Young <syoung@edx.org>
 Michael Youngstrom <myoungstrom@edx.org>
 Sahar Markovich <sahar.markovich@gmail.com>
+Asad Azam <asadazam93@gmail.com>
diff --git a/openedx/core/djangoapps/debug/views.py b/openedx/core/djangoapps/debug/views.py
index 3573f3c8f7..bbd2dd753c 100644
--- a/openedx/core/djangoapps/debug/views.py
+++ b/openedx/core/djangoapps/debug/views.py
@@ -3,6 +3,7 @@ Views that are only activated when the project is running in development mode.
 These views will NOT be shown on production: trying to access them will result
 in a 404 error.
 """
+import bleach
 from django.http import HttpResponseNotFound
 from django.template import TemplateDoesNotExist
 from django.utils.translation import ugettext as _
@@ -52,4 +53,4 @@ def show_reference_template(request, template):
 
         return render_to_response(template, context)
     except TemplateDoesNotExist:
-        return HttpResponseNotFound('Missing template {template}'.format(template=template))
+        return HttpResponseNotFound('Missing template {template}'.format(template=bleach.clean(template, strip=True)))