seq_module.html XSS - Safe by default

lms/templates/seq_module.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <div id="sequence_${element_id}" class="sequence" data-id="${item_id}" data-position="${position}" data-ajax-url="${ajax_url}" data-next-url="${next_url}" data-prev-url="${prev_url}">
@@ -17,8 +18,8 @@
         <button class="seq_${item['type']} inactive progress-${item['progress_status']} nav-item"
            data-id="${item['id']}"
            data-element="${idx+1}"
-           data-page-title="${item['page_title']|h}"
-           data-path="${item['path']|h}"
+           data-page-title="${item['page_title']}"
+           data-path="${item['path']}"
            id="tab_${idx}">
             <i class="icon fa seq_${item['type']}" aria-hidden="true"></i>
             <i class="fa fa-fw fa-bookmark bookmark-icon ${"is-hidden" if not item['bookmarked'] else "bookmarked"}" aria-hidden="true"></i>
@@ -40,7 +41,7 @@
     aria-labelledby="tab_${idx}"
     aria-hidden="true"
     class="seq_contents tex2jax_ignore asciimath2jax_ignore">
-    ${item['content'] | h}
+    ${item['content']}
   </div>
   % endfor
   <div id="seq_content"></div>