Fix edx-platform templates for xss.

This is part 2 of a multiple PR to escape
edx-platform templates to prevent xss attack.

PROD-465

lms/templates/commerce/checkout_cancel.html

@@ -1,4 +1,7 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%! from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
+%>
 
 <%inherit file="../main.html" />
 
@@ -7,6 +10,6 @@
 
 <section class="container">
     <h1>${_("Checkout Cancelled")}</h1>
-    ${ _(u"Your transaction has been cancelled. If you feel an error has occurred, contact {email}.").format(
-    email="<a href=\"mailto:{email}\">{email}</a>".format(email=payment_support_email)) }
+    ${ Text(_(u"Your transaction has been cancelled. If you feel an error has occurred, contact {email}.")).format(
+    email=HTML("<a href=\"mailto:{email}\">{email}</a>").format(email=payment_support_email)) }
 </section>

lms/templates/commerce/checkout_error.html

@@ -1,4 +1,7 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%! from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
+%>
 
 <%inherit file="../main.html" />
 
@@ -7,6 +10,8 @@
 
 <section class="container">
     <h1>${_("Checkout Error")}</h1>
-    ${ _(u"An error has occurred with your payment. <b>You have not been charged.</b> Please try to submit your payment again. If this problem persists, contact {email}.").format(
-    email="<a href=\"mailto:{email}\">{email}</a>".format(email=payment_support_email)) }
+    ${ Text(_(u"An error has occurred with your payment. {b_start}You have not been charged.{b_end} Please try to submit your payment again. If this problem persists, contact {email}.")).format(
+    b_start=HTML('<b>'),
+    b_end=HTML('</b>'),
+    email=HTML("<a href=\"mailto:{email}\">{email}</a>").format(email=payment_support_email)) }
 </section>

lms/templates/commerce/checkout_receipt.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 %>

lms/templates/courseware/courseware-error.html

@@ -1,4 +1,7 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%! from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
+%>
 <%inherit file="/main.html" />
 <%namespace name='static' file='../static_content.html'/>
 <%block name="bodyclass">courseware</%block>
@@ -18,14 +21,14 @@ from openedx.core.djangolib.markup import HTML, Text
 <section class="container">
   <section class="outside-app">
     <h1>
-      ${_('There has been an error on the {platform_name} servers').format(
-          platform_name=u'<span class="edx">{}</span>'.format(static.get_platform_name())
+      ${Text(_('There has been an error on the {platform_name} servers')).format(
+          platform_name=HTML(u'<span class="edx">{}</span>').format(static.get_platform_name())
       )}
     </h1>
     <p>
-      ${_("We're sorry, this module is temporarily unavailable. Our staff is working to fix "
-      "it as soon as possible. Please email us at {tech_support_email} to report any problems or downtime.").format(
-      tech_support_email=u'<a href=\"mailto:{0}\">{0}</a>'.format(static.get_tech_support_email_address())
+      ${Text(_("We're sorry, this module is temporarily unavailable. Our staff is working to fix "
+      "it as soon as possible. Please email us at {tech_support_email} to report any problems or downtime.")).format(
+      tech_support_email=HTML(u'<a href=\"mailto:{0}\">{0}</a>').format(static.get_tech_support_email_address())
       )}
     </p>
   </section>

lms/templates/debug/run_python_form.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <html><body>
 <div>
@@ -5,7 +6,7 @@
 <form method='post'>
     <input type="hidden" name="csrfmiddlewaretoken" value="${ csrf_token }">
     <div>
-        <textarea name='code' rows='20' cols='80'>${code|h}</textarea>
+        <textarea name='code' rows='20' cols='80'>${code}</textarea>
     </div>
     <input type='submit' value='Run it!'/>
 </form>
@@ -14,7 +15,7 @@
 <div>
     <p>${_("Results:")}</p>
     <pre>
-${results|h}
+${results}
 </pre>
 </div>
 %endif

lms/templates/email_change_failed.html

@@ -1,4 +1,7 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%! from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
+%>
 
 <%inherit file="main.html" />
 
@@ -14,6 +17,8 @@
     <p>${_("We were unable to send a confirmation email to {email}").format(email=email)}</p>
     % endif
 
-    <p>${_('Go back to the {link_start}home page{link_end}.').format(link_start='<a href="/">', link_end='</a>')}</p>
+    <p>${Text(_('Go back to the {link_start}home page{link_end}.')).format(
+        link_start=HTML('<a href="/">'),
+        link_end=HTML('</a>'))}</p>
   </section>
 </section>

lms/templates/email_change_successful.html

@@ -1,6 +1,8 @@
+<%page expression_filter="h"/>
 <%inherit file="main.html" />
 <%!
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
 from django.urls import reverse
 %>
 
@@ -10,9 +12,9 @@ from django.urls import reverse
     <h1 class="valid">${_("E-mail change successful!")}</h1>
     <hr class="horizontal-divider">
 
-    <p>${_('You should see your new email in your {link_start}dashboard{link_end}.').format(
-        link_start='<a href="{url}">'.format(url=reverse('dashboard')),
-        link_end='</a>',
+    <p>${Text(_('You should see your new email in your {link_start}dashboard{link_end}.')).format(
+        link_start=HTML('<a href="{url}">').format(url=reverse('dashboard')),
+        link_end=HTML('</a>'),
       )}</p>
   </section>
 </section>

lms/templates/email_exists.html

@@ -1,4 +1,7 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%! from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
+%>
 
 <%inherit file="main.html" />
 
@@ -10,6 +13,8 @@
 
     <p>${_("An account with the new e-mail address already exists.")}</p>
 
-    <p>${_("Go back to the {link_start}home page{link_end}.").format(link_start='<a href="/">', link_end='</a>')}</p>
+    <p>${Text(_("Go back to the {link_start}home page{link_end}.")).format(
+        link_start=HTML('<a href="/">'),
+        link_end=HTML('</a>'))}</p>
   </section>
 </section>

lms/templates/embargo/default_courseware.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 

lms/templates/embargo/default_enrollment.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 

lms/templates/enroll_students.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h" />
 <%! from django.utils.translation import ugettext as _ %>
 
 <h1>${_("Student Enrollment Form")} </h1>

lms/templates/extauth_failure.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h" />
 <%! from django.utils.translation import ugettext as _ %>
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"

lms/templates/financial-assistance/financial-assistance.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="../main.html"/>
 <%
 from django.urls import reverse

lms/templates/instructor/instructor_dashboard_2/executive_summary.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <!DOCTYPE HTML>
 <html>

lms/templates/invalid_email_key.html

@@ -1,5 +1,8 @@
+<%page expression_filter="h" />
 <%inherit file="main.html" />
-<%! from django.utils.translation import ugettext as _ %>
+<%! from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
+%>
 
 <section class="container activation">
 
@@ -12,6 +15,6 @@
       <li>${_("Did your e-mail client break the URL into two lines?")}
       <li>${_("The keys are valid for a limited amount of time. Has the key expired?")}
     </ul>
-    <p>${_('Go back to the {link_start}home page{link_end}.').format(link_start='<a href="/">', link_end='</a>')}</p>
+    <p>${Text(_('Go back to the {link_start}home page{link_end}.')).format(link_start=HTML('<a href="/">'), link_end=HTML('</a>'))}</p>
   </section>
 </section>

lms/templates/library-block-author-preview-header.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ungettext %>
 <div class="wrapper-xblock-message">
     <div class="xblock-message information">

lms/templates/lti.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%!
 import json
 from django.utils.translation import ugettext as _
@@ -61,7 +62,7 @@ from django.utils.translation import ugettext as _
     <h4 class="hd hd-4 problem-feedback-label">${_("Feedback on your work from the grader:")}</h4>
     <div class="problem-feedback">
         ## sanitized with bleach in view
-        ${comment}
+        ${comment | n, decode.utf8}
     </div>
 % endif
 

lms/templates/peer_grading/peer_grading_closed.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <section class="container peer-grading-container">
 <h2>${_("Peer Grading")}</h2>

lms/templates/provider_login.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <%inherit file="main.html" />

lms/templates/register-form.html

@@ -1,7 +1,9 @@
+<%page expression_filter="h"/>
 <%!
 import third_party_auth
 from third_party_auth import pipeline, provider
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import HTML, Text
 from django_countries import countries
 from student.models import UserProfile
 %>
@@ -26,7 +28,7 @@ from student.models import UserProfile
 
   % for enabled in provider.Registry.displayed_for_login():
     ## Translators: provider_name is the name of an external, third-party user authentication service (like Google or LinkedIn).
-    <button type="submit" class="button button-primary button-${enabled.provider_id} register-${enabled.provider_id}" onclick="thirdPartySignin(event, '${pipeline_urls[enabled.provider_id]}');">
+    <button type="submit" class="button button-primary button-${enabled.provider_id} register-${enabled.provider_id}" onclick="thirdPartySignin(event, '${pipeline_urls[enabled.provider_id] | n, decode.utf8}');">
       % if enabled.icon_class:
       <span class="icon fa ${enabled.icon_class}" aria-hidden="true"></span>
       % else:
@@ -46,7 +48,9 @@ from student.models import UserProfile
 
   <p class="instructions">
     ${_('Create your own {platform_name} account below').format(platform_name=platform_name)}
-    <span class="note">${_('Required fields are noted by <strong class="indicator">bold text and an asterisk (*)</strong>.')}</span>
+    <span class="note">${Text(_('Required fields are noted by {strong_start}bold text and an asterisk (*){strong_end}.')).format(
+        strong_start=HTML('<strong class="indicator">'),
+        strong_end=HTML('</strong>'))}</span>
   </p>
 
 
@@ -54,7 +58,7 @@ from student.models import UserProfile
 
   <p class="instructions">
     ## Translators: selected_provider is the name of an external, third-party user authentication service (like Google or LinkedIn).
-    ${_("You've successfully signed in with {selected_provider}.").format(selected_provider='<strong>%s</strong>' % selected_provider)}<br />
+    ${Text(_("You've successfully signed in with {selected_provider}.")).format(selected_provider=HTML('<strong>{selected_provider}</strong>').format(selected_provider=selected_provider))}<br />
     ${_("We just need a little more information before you start learning with {platform_name}.").format(platform_name=settings.PLATFORM_NAME)}
   </p>
 
@@ -64,7 +68,8 @@ from student.models import UserProfile
 
 <p class="instructions">
   ${_("Please complete the following fields to register for an account. ")}<br />
-  ${_('Required fields are noted by <strong class="indicator">bold text and an asterisk (*)</strong>.')}
+  ${Text(_('Required fields are noted by {strong_start}bold text and an asterisk (*){strong_end}.')).format( \
+    strong_start=HTML('<strong class="indicator">'), strong_end=HTML('</strong>'))}
 </p>
 
 % endif
@@ -239,9 +244,9 @@ from student.models import UserProfile
       % if has_extauth_info is UNDEFINED or ask_for_tos :
       <div class="field required checkbox" id="field-tos">
         <input id="tos-yes" type="checkbox" name="terms_of_service" value="true" required aria-required="true" />
-        <label for="tos-yes">${_('I agree to the {link_start}Terms of Service{link_end}').format(
-          link_start='<a href="{url}" class="new-vp" tabindex="-1">'.format(url=marketing_link('TOS')),
-          link_end='</a>')}</label>
+        <label for="tos-yes">${Text(_('I agree to the {link_start}Terms of Service{link_end}')).format(
+          link_start=HTML('<a href="{url}" class="new-vp" tabindex="-1">').format(url=marketing_link('TOS')),
+          link_end=HTML('</a>'))}</label>
       </div>
       % endif
 
@@ -253,9 +258,9 @@ from student.models import UserProfile
         <%
           honor_code_path = marketing_link('HONOR')
         %>
-        <label for="honorcode-yes">${_('I agree to the {link_start}Honor Code{link_end}').format(
-          link_start='<a href="{url}" class="new-vp" tabindex="-1">'.format(url=honor_code_path),
-          link_end='</a>')}</label>
+        <label for="honorcode-yes">${Text(_('I agree to the {link_start}Honor Code{link_end}')).format(
+          link_start=HTML('<a href="{url}" class="new-vp" tabindex="-1">').format(url=honor_code_path),
+          link_end=HTML('</a>'))}</label>
       </div>
       % endif
       % endif
@@ -264,5 +269,5 @@ from student.models import UserProfile
 </div>
 
 <div class="form-actions">
-  <button name="submit" type="submit" id="submit" class="action action-primary action-update register-button">${_('Register')} <span class="orn-plus">+</span> ${_('Create My Account')}</button>
+  <button name="submit" type="submit" id="submit" class="action action-primary action-update register-button">${_('Register')} <span class="orn-plus">+</span> ${Text(_('Create My Account'))}</button>
 </div>

lms/templates/shoppingcart/download_report.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="../main.html" />
 <%!
 from django.utils.translation import ugettext as _

lms/templates/shoppingcart/shopping_cart_flow.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="../main.html" />
 <%namespace name='static' file='/static_content.html'/>
 <%!

lms/templates/student_account/finish_auth.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%namespace name='static' file='/static_content.html'/>
 <%inherit file="/main.html" />

lms/templates/support/enrollment.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from openedx.core.djangolib.js_utils import js_escaped_string

lms/templates/support/index.html

@@ -1,4 +1,5 @@
 ## mako
+<%page expression_filter="h"/>
 <%!
 from django.urls import reverse
 from django.utils.translation import ugettext as _

lms/templates/verify_student/_verification_help.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 from openedx.core.djangolib.markup import HTML, Text