From 752e0b918d566b1755f02e8b19caf8ca3b6a2047 Mon Sep 17 00:00:00 2001
From: Ali-D-Akbar <aliakbarit019@gmail.com>
Date: Mon, 14 Dec 2020 16:12:46 +0500
Subject: [PATCH 01/11] PROD-2145

---
 .../lib/capa/capa/templates/matlabinput.html  | 34 +++++++++++--------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/common/lib/capa/capa/templates/matlabinput.html b/common/lib/capa/capa/templates/matlabinput.html
index 58bae3f857..0249332c6f 100644
--- a/common/lib/capa/capa/templates/matlabinput.html
+++ b/common/lib/capa/capa/templates/matlabinput.html
@@ -1,10 +1,11 @@
+<%page expression_filter="h"/>
 <section id="textbox_${id}" class="capa_inputtype cminput">
 <div class="script_placeholder" data-src="${matlab_editor_js}"></div>
-<textarea 
-  rows="${rows}" 
-  cols="${cols}" 
-  name="input_${id}" 
-  aria-describedby="answer_${id}" 
+<textarea
+  rows="${rows}"
+  cols="${cols}"
+  name="input_${id}"
+  aria-describedby="answer_${id}"
   id="input_${id}"
   data-tabsize="${tabsize}"
   data-mode="octave"
@@ -14,7 +15,7 @@
  % if hidden:
   style="display:none;"
  % endif
-  >${value|h}</textarea>
+  >${value}</textarea>
 
   <div class="grader-status" tabindex="-1">
 
@@ -34,10 +35,10 @@
   <span id="answer_${id}"></span>
 
   <div class="external-grader-message" aria-live="polite">
-    ${msg|n}
+    ${msg|n, decode.utf8}
   </div>
   <div class="ungraded-matlab-result" aria-live="polite">
-    ${queue_msg|n}
+    ${queue_msg|n, decode.utf8}
   </div>
 
   % if button_enabled:
@@ -52,8 +53,13 @@
           if($(parent_elt).find('.capa_alert').length) {
               $(parent_elt).find('.capa_alert').remove();
           }
-          var alert_elem = $("<div>" + msg + "</div>");
+          var alert_elem = $(edx.HtmlUtils.joinHtml(
+            edx.HtmlUtils.HTML("<div>"),
+            msg,
+            edx.HtmlUtils.HTML("</div>")
+          ).toString());
           alert_elem.addClass('capa_alert').addClass('is-fading-in');
+          // xss-lint: disable=javascript-jquery-insertion
           $(parent_elt).find('.action').after(alert_elem);
       };
 
@@ -61,7 +67,7 @@
       var plot = function(event) {
           var problem_elt = $(event.target).closest('.problems-wrapper');
           url = $(event.target).closest('.problems-wrapper').data('url');
-          input_id = "${id}";
+          input_id = "${id|n, decode.utf8}";
 
           // save the codemirror text to the textarea
           // since there could be multiple codemirror instances on the page,
@@ -69,7 +75,7 @@
           $('.CodeMirror').each(function(i, el){
               el.CodeMirror.save();
           });
-          var input = $("#input_${id}");
+          var input = $("#input_${id|n, decode.utf8}");
 
           // pull out the coded text
           submission = input.val();
@@ -83,10 +89,10 @@
                    var external_grader_msg = $(response.html).find(".external-grader-message").html();
                    var result_elem = $(problem_elt).find(".ungraded-matlab-result");
                    result_elem.addClass("is-fading-in");
-                   result_elem.html(new_result_elem);
+                   edx.HtmlUtils.setHtml(result_elem, new_result_elem);
                    var external_grader_msg_elem = $(problem_elt).find(".external-grader-message");
                    external_grader_msg_elem.addClass("is-fading-in");
-                   external_grader_msg_elem.html(external_grader_msg);
+                   edx.HtmlUtils.setHtml(external_grader_msg_elem, external_grader_msg);
                    // If we have a message about waiting for the external grader.
                    if (external_grader_msg.trim()) {
                         result_elem.html('');
@@ -128,7 +134,7 @@
           // save the answer
           $.postWithPrefix(url + '/problem_save', answer, save_callback);
       };
-      $('#plot_${id}').click(plot);
+      $('#plot_${id|n, decode.utf8}').click(plot);
 
     });
   </script>

From f7a4f85a902638db368be2637dff53863222d445 Mon Sep 17 00:00:00 2001
From: Ali-D-Akbar <aliakbarit019@gmail.com>
Date: Mon, 14 Dec 2020 16:49:17 +0500
Subject: [PATCH 02/11] PROD-2144

---
 cms/templates/widgets/video/codemirror-edit.html | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cms/templates/widgets/video/codemirror-edit.html b/cms/templates/widgets/video/codemirror-edit.html
index 1db705e0ca..b044667b3d 100644
--- a/cms/templates/widgets/video/codemirror-edit.html
+++ b/cms/templates/widgets/video/codemirror-edit.html
@@ -1,13 +1,13 @@
 <%! from django.utils.translation import ugettext as _ %>
-<%page args="tabName"/>
+<%page args="tabName" expression_filter="h"/>
 <div>
-  <textarea id="xml-${html_id}" class="edit-box">${data | h}</textarea>
+  <textarea id="xml-${html_id}" class="edit-box">${data}</textarea>
 </div>
 
 <script type='text/javascript'>
 require(["domReady!", "jquery", "codemirror"], function(doc, $, CodeMirror) {
   ## Init CodeMirror editor
-  var el = $("#xml-${html_id}"),
+  var el = $("#xml-${html_id|n, decode.utf8}"),
         xml_editor = CodeMirror.fromTextArea(el.get(0), {
           mode: "application/xml",
           lineNumbers: true,
@@ -15,13 +15,13 @@ require(["domReady!", "jquery", "codemirror"], function(doc, $, CodeMirror) {
         });
 
   TabsEditingDescriptor.Model.addModelUpdate(
-    '${html_id}',
-    '${tabName}',
+    '${html_id|n, decode.utf8}',
+    '${tabName|n, decode.utf8}',
     function()  { return xml_editor.getValue(); })
 
   TabsEditingDescriptor.Model.addOnSwitch(
-    '${html_id}',
-    '${tabName}',
+    '${html_id|n, decode.utf8}',
+    '${tabName|n, decode.utf8}',
     function(){
         ## CodeMirror should get focus when tab is active
         xml_editor.refresh();

From 25c5cb17b267c6023bd8dd7a416ab8ce9064ea81 Mon Sep 17 00:00:00 2001
From: Ali-D-Akbar <aliakbarit019@gmail.com>
Date: Mon, 14 Dec 2020 16:50:24 +0500
Subject: [PATCH 03/11] PROD-2142

---
 common/static/common/templates/components/tabpanel.underscore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/static/common/templates/components/tabpanel.underscore b/common/static/common/templates/components/tabpanel.underscore
index a4288e6c9c..41e0f2d7b4 100644
--- a/common/static/common/templates/components/tabpanel.underscore
+++ b/common/static/common/templates/components/tabpanel.underscore
@@ -1 +1 @@
-<div role="tabpanel" class="tabpanel is-hidden" id="<%= tabId %>" aria-labelledby="tab-<%= index %>" aria-hidden="true" tabindex="0"></div>
+<div role="tabpanel" class="tabpanel is-hidden" id="<%- tabId %>" aria-labelledby="tab-<%- index %>" aria-hidden="true" tabindex="0"></div>

From 46c85b586025036b3662b384b6c3d2789c0c1f03 Mon Sep 17 00:00:00 2001
From: Ali-D-Akbar <aliakbarit019@gmail.com>
Date: Mon, 14 Dec 2020 17:02:17 +0500
Subject: [PATCH 04/11] PROD-2141

---
 cms/templates/widgets/video/transcripts.html | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cms/templates/widgets/video/transcripts.html b/cms/templates/widgets/video/transcripts.html
index b2f14920de..5d007e7736 100644
--- a/cms/templates/widgets/video/transcripts.html
+++ b/cms/templates/widgets/video/transcripts.html
@@ -1,6 +1,6 @@
 <%! from django.utils.translation import ugettext as _ %>
 <%namespace name='static' file='../../static_content.html'/>
-<%page args="tabName"/>
+<%page args="tabName" expression_filter="h"/>
 
 <%
 import json
@@ -25,7 +25,7 @@ import json
     </script>
 % endfor
 
-<div class="wrapper-comp-settings basic_metadata_edit" data-metadata='${json.dumps(transcripts_basic_tab_metadata) | h}'></div>
+<div class="wrapper-comp-settings basic_metadata_edit" data-metadata='${json.dumps(transcripts_basic_tab_metadata)}'></div>
 
 <script type="text/javascript">
     require(
@@ -37,13 +37,13 @@ import json
 
         function(doc, $, Editor) {
             var transcripts = new Editor({
-                    el: $('#editor-tab-${html_id}').find('.basic_metadata_edit')
+                    el: $('#editor-tab-${html_id|n, decode.utf8}').find('.basic_metadata_edit')
                 }),
                 storage = TabsEditingDescriptor.getStorage();
 
             TabsEditingDescriptor.Model.addModelUpdate(
-                '${html_id}',
-                '${tabName}',
+                '${html_id|n, decode.utf8}',
+                '${tabName|n, decode.utf8}',
                 function () {
                     // Advanced, Save
                     metadataEditor = storage.MetadataEditor;
@@ -55,8 +55,8 @@ import json
             );
 
             TabsEditingDescriptor.Model.addOnSwitch(
-                '${html_id}',
-                '${tabName}',
+                '${html_id|n, decode.utf8}',
+                '${tabName|n, decode.utf8}',
                 function () {
                     // Basic
                     metadataEditor = storage.MetadataEditor;

From 428e04d36dd4fa9cd08a8de568fa6bc05e9a3e55 Mon Sep 17 00:00:00 2001
From: Ali-D-Akbar <aliakbarit019@gmail.com>
Date: Mon, 14 Dec 2020 17:09:13 +0500
Subject: [PATCH 05/11] PROD-2140

---
 .../common/templates/components/paginated-view.underscore | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/common/static/common/templates/components/paginated-view.underscore b/common/static/common/templates/components/paginated-view.underscore
index 55f161b55a..3ee1e590a0 100644
--- a/common/static/common/templates/components/paginated-view.underscore
+++ b/common/static/common/templates/components/paginated-view.underscore
@@ -1,4 +1,4 @@
-<div class="sr-is-focusable sr-<%= type %>-view" tabindex="-1"></div>
-<div class="<%= type %>-paging-header"></div>
-<ul class="<%= type %>-list cards-list"></ul>
-<div class="<%= type %>-paging-footer"></div>
+<div class="sr-is-focusable sr-<%- type %>-view" tabindex="-1"></div>
+<div class="<%- type %>-paging-header"></div>
+<ul class="<%- type %>-list cards-list"></ul>
+<div class="<%- type %>-paging-footer"></div>

From 3b03e9c2f73c45e343da0efa901deb2aa4a84c93 Mon Sep 17 00:00:00 2001
From: Ali-D-Akbar <aliakbarit019@gmail.com>
Date: Mon, 14 Dec 2020 17:28:18 +0500
Subject: [PATCH 06/11] PROD-2117

---
 .../static/teams/templates/team-membership-details.underscore   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lms/djangoapps/teams/static/teams/templates/team-membership-details.underscore b/lms/djangoapps/teams/static/teams/templates/team-membership-details.underscore
index ae91aef5f0..4158da266d 100644
--- a/lms/djangoapps/teams/static/teams/templates/team-membership-details.underscore
+++ b/lms/djangoapps/teams/static/teams/templates/team-membership-details.underscore
@@ -1,4 +1,4 @@
-<span class="member-count"><%= membership_message %></span>
+<span class="member-count"><%- membership_message %></span>
 <ul class="list-member-thumbs">
     <% _.each(memberships, function (membership) { %>
         <li class="item-member-thumb"><img alt="<%- membership.user.username %>" src="<%- membership.user.profile_image.image_url_small %>"></img></li>

From 027ea1373d4754efbc4213945df2c2674458093e Mon Sep 17 00:00:00 2001
From: azanbinzahid <azan.zahid@arbisoft.com>
Date: Mon, 14 Dec 2020 18:26:05 +0500
Subject: [PATCH 07/11] PROD-2202

---
 .../common/js/components/utils/view_utils.js      | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/common/static/common/js/components/utils/view_utils.js b/common/static/common/js/components/utils/view_utils.js
index 080f9418b1..64ac2fcbd2 100644
--- a/common/static/common/js/components/utils/view_utils.js
+++ b/common/static/common/js/components/utils/view_utils.js
@@ -6,8 +6,8 @@
 
     /* RequireJS */
     define(['jquery', 'underscore', 'gettext', 'common/js/components/views/feedback_notification',
-        'common/js/components/views/feedback_prompt'],
-        function($, _, gettext, NotificationView, PromptView) {
+        'common/js/components/views/feedback_prompt', 'edx-ui-toolkit/js/utils/html-utils'],
+        function($, _, gettext, NotificationView, PromptView, HtmlUtils) {
     /* End RequireJS */
     /* Webpack
     define(['jquery', 'underscore', 'gettext', 'common/js/components/views/feedback_notification',
@@ -247,10 +247,17 @@
             };
 
             checkTotalKeyLengthViolations = function(selectors, classes, keyFieldSelectors, messageTpl) {
+                var tempHtml;
                 if (!validateTotalKeyLength(keyFieldSelectors)) {
                     $(selectors.errorWrapper).addClass(classes.shown).removeClass(classes.hiding);
-                    $(selectors.errorMessage).html(
-                        '<p>' + _.template(messageTpl)({limit: MAX_SUM_KEY_LENGTH}) + '</p>'
+                    tempHtml = HtmlUtils.joinHtml(
+                            HtmlUtils.HTML('<p>'),
+                            HtmlUtils.template(messageTpl)({limit: MAX_SUM_KEY_LENGTH}),
+                            HtmlUtils.HTML('</p>')
+                    );
+                    HtmlUtils.setHtml(
+                        $(selectors.errorMessage),
+                        tempHtml
                     );
                     $(selectors.save).addClass(classes.disabled);
                 } else {

From 30c30740d7bb6e361f1e625774bc10f577021656 Mon Sep 17 00:00:00 2001
From: azanbinzahid <azan.zahid@arbisoft.com>
Date: Mon, 14 Dec 2020 18:30:08 +0500
Subject: [PATCH 08/11] PROD-2203

---
 .../js/student_account/views/HintedLoginView.js    | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/lms/static/js/student_account/views/HintedLoginView.js b/lms/static/js/student_account/views/HintedLoginView.js
index 74793304e9..720ded988b 100644
--- a/lms/static/js/student_account/views/HintedLoginView.js
+++ b/lms/static/js/student_account/views/HintedLoginView.js
@@ -1,7 +1,7 @@
 (function(define) {
     'use strict';
-    define(['jquery', 'underscore', 'backbone'],
-        function($, _, Backbone) {
+    define(['jquery', 'underscore', 'backbone', 'edx-ui-toolkit/js/utils/html-utils'],
+        function($, _, Backbone, HtmlUtils) {
             return Backbone.View.extend({
                 el: '#hinted-login-form',
 
@@ -22,10 +22,12 @@
                 },
 
                 render: function() {
-                    $(this.el).html(_.template(this.tpl)({
-                        hintedProvider: this.hintedProvider
-                    }));
-
+                    HtmlUtils.setHtml(
+                        $(this.el),
+                        HtmlUtils.template(this.tpl)({
+                            hintedProvider: this.hintedProvider
+                        })
+                    );
                     return this;
                 },
 

From 7f6b81a96921a1e7bd1c570d680c7d596384ef46 Mon Sep 17 00:00:00 2001
From: azanbinzahid <azan.zahid@arbisoft.com>
Date: Mon, 14 Dec 2020 18:35:28 +0500
Subject: [PATCH 09/11] PROD-2204

---
 .../views/InstitutionLoginView.js             | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/lms/static/js/student_account/views/InstitutionLoginView.js b/lms/static/js/student_account/views/InstitutionLoginView.js
index d466d15c19..dbda7e6dee 100644
--- a/lms/static/js/student_account/views/InstitutionLoginView.js
+++ b/lms/static/js/student_account/views/InstitutionLoginView.js
@@ -1,7 +1,7 @@
 (function(define) {
     'use strict';
-    define(['jquery', 'underscore', 'backbone'],
-        function($, _, Backbone) {
+    define(['jquery', 'underscore', 'backbone', 'edx-ui-toolkit/js/utils/html-utils'],
+        function($, _, Backbone, HtmlUtils) {
             return Backbone.View.extend({
                 el: '#institution_login-form',
 
@@ -13,13 +13,15 @@
                 },
 
                 render: function() {
-                    $(this.el).html(_.template(this.tpl)({
-                    // We pass the context object to the template so that
-                    // we can perform variable interpolation using sprintf
-                        providers: this.providers,
-                        platformName: this.platformName
-                    }));
-
+                    HtmlUtils.setHtml(
+                        $(this.el),
+                        HtmlUtils.template(this.tpl)({
+                            // We pass the context object to the template so that
+                            // we can perform variable interpolation using sprintf
+                            providers: this.providers,
+                            platformName: this.platformName
+                        })
+                    );
                     return this;
                 }
             });

From 9ca5df866650e46206eabb4ea1483ae01d28e475 Mon Sep 17 00:00:00 2001
From: Ali-D-Akbar <aliakbarit019@gmail.com>
Date: Mon, 14 Dec 2020 18:37:30 +0500
Subject: [PATCH 10/11] PROD-2123

---
 .../edx_ace/responsenotification/email/body.html      | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html b/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html
index 71c88ae73f..8eb7c8a303 100644
--- a/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html
+++ b/lms/djangoapps/discussion/templates/discussion/edx_ace/responsenotification/email/body.html
@@ -1,18 +1,17 @@
 {% extends 'ace_common/edx_ace/common/base_body.html' %}
 
 {% load i18n %}
+{% load django_markup %}
 {% load static %}
 {% block content %}
 <table width="100%" align="left" border="0" cellpadding="0" cellspacing="0" role="presentation">
     <tr>
         <td>
             <p>
-                {% filter force_escape %}
                 {% blocktrans trimmed asvar replied_to_text %}
-                    {{ comment_username }} replied to
+                    {{ comment_username }} replied to {start_tag}{{ thread_title }}{end_tag}:
                 {% endblocktrans %}
-                {% endfilter %}
-                {{ replied_to_text }} <b>{{ thread_title }}</b>:
+                {% interpolate_html replied_to_text start_tag='<b>'|safe end_tag='</b>'|safe %}
             </p>
             <div style="border-left: 1px solid rgba(0,0,0,0.25);
                     padding: 1px 1px 1px 15px;
@@ -21,9 +20,7 @@
                 {{ comment_body }}
             </div>
 
-            {% filter force_escape %}
-                {% blocktrans asvar course_cta_text %}View discussion{% endblocktrans %}
-            {% endfilter %}
+            {% trans "View discussion" as course_cta_text %}{{course_cta_text|force_escape}}
             {% include "ace_common/edx_ace/common/return_to_course_cta.html" with course_cta_text=course_cta_text course_cta_url=post_link%}
 
             {% block google_analytics_pixel %}

From 3cb1260fbda9ab396aac0293a205fd7fb5e912ac Mon Sep 17 00:00:00 2001
From: azanbinzahid <azan.zahid@arbisoft.com>
Date: Mon, 14 Dec 2020 18:48:08 +0500
Subject: [PATCH 11/11] PROD-2207

---
 lms/static/js/discovery/views/courses_listing.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lms/static/js/discovery/views/courses_listing.js b/lms/static/js/discovery/views/courses_listing.js
index c9bf0da98b..65413c62db 100644
--- a/lms/static/js/discovery/views/courses_listing.js
+++ b/lms/static/js/discovery/views/courses_listing.js
@@ -4,8 +4,9 @@
         'underscore',
         'backbone',
         'gettext',
-        'js/discovery/views/course_card'
-    ], function($, _, Backbone, gettext, CourseCardView) {
+        'js/discovery/views/course_card',
+        'edx-ui-toolkit/js/utils/html-utils'
+    ], function($, _, Backbone, gettext, CourseCardView, HtmlUtils) {
         'use strict';
 
         return Backbone.View.extend({
@@ -38,7 +39,10 @@
                     var item = new CourseCardView({model: result});
                     return item.render().el;
                 }, this);
-                this.$list.append(items);
+                HtmlUtils.append(
+                    this.$list,
+                    HtmlUtils.HTML(items)
+                );
                 /* eslint no-param-reassign: [2, { "props": false }] */
             },