From 2f037f04e9be004f6fad7cb226ba254d0a2b1fb2 Mon Sep 17 00:00:00 2001
From: Nimisha Asthagiri <nasthagiri@edx.org>
Date: Wed, 23 Mar 2016 11:53:03 -0400
Subject: [PATCH] seq_module.html XSS - Safe by default

---
 lms/templates/seq_module.html | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lms/templates/seq_module.html b/lms/templates/seq_module.html
index 7211726ae2..2bce3a658b 100644
--- a/lms/templates/seq_module.html
+++ b/lms/templates/seq_module.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <div id="sequence_${element_id}" class="sequence" data-id="${item_id}" data-position="${position}" data-ajax-url="${ajax_url}" data-next-url="${next_url}" data-prev-url="${prev_url}">
@@ -17,8 +18,8 @@
         <button class="seq_${item['type']} inactive progress-${item['progress_status']} nav-item"
            data-id="${item['id']}"
            data-element="${idx+1}"
-           data-page-title="${item['page_title']|h}"
-           data-path="${item['path']|h}"
+           data-page-title="${item['page_title']}"
+           data-path="${item['path']}"
            id="tab_${idx}">
             <i class="icon fa seq_${item['type']}" aria-hidden="true"></i>
             <i class="fa fa-fw fa-bookmark bookmark-icon ${"is-hidden" if not item['bookmarked'] else "bookmarked"}" aria-hidden="true"></i>
@@ -40,7 +41,7 @@
     aria-labelledby="tab_${idx}"
     aria-hidden="true"
     class="seq_contents tex2jax_ignore asciimath2jax_ignore">
-    ${item['content'] | h}
+    ${item['content']}
   </div>
   % endfor
   <div id="seq_content"></div>