diff --git a/cms/static/js/views/container.js b/cms/static/js/views/container.js index 8deefb758b..5d43112bb7 100644 --- a/cms/static/js/views/container.js +++ b/cms/static/js/views/container.js @@ -1,9 +1,9 @@ define([ 'jquery', 'underscore', 'js/views/xblock', 'js/utils/module', - 'gettext', 'common/js/components/views/feedback_notification', - 'jquery.ui' + 'gettext', 'edx-ui-toolkit/js/utils/string-utils', + 'common/js/components/views/feedback_notification', 'jquery.ui' ], // The container view uses sortable, which is provided by jquery.ui. - function($, _, XBlockView, ModuleUtils, gettext, NotificationView) { + function($, _, XBlockView, ModuleUtils, gettext, StringUtils, NotificationView) { 'use strict'; var studioXBlockWrapperClass = '.studio-xblock-wrapper'; @@ -142,7 +142,15 @@ define([ }, makeRequestSpecificSelector: function(selector) { - return 'div.xblock[data-request-token="' + this.requestToken + '"] > ' + selector; + return StringUtils.interpolate( + gettext('{startTag}{requestToken}{endTag}{selector}'), + { + startTag: 'div.xblock[data-request-token="', + requestToken: this.requestToken, + endTag: '"] > ', + selector: selector + } + ); } }); diff --git a/cms/static/js/views/experiment_group_edit.js b/cms/static/js/views/experiment_group_edit.js index cb7388c962..4b4470e612 100644 --- a/cms/static/js/views/experiment_group_edit.js +++ b/cms/static/js/views/experiment_group_edit.js @@ -29,7 +29,7 @@ function(BaseView, _, str, gettext, groupEditTemplate) { var collection = this.model.collection, index = collection.indexOf(this.model); - this.$el.html(_.template(groupEditTemplate)({ + edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.template(groupEditTemplate)({ name: this.model.get('name'), allocation: this.getAllocation(), index: index, diff --git a/cms/static/js/views/learning_info.js b/cms/static/js/views/learning_info.js index 57e75f301c..d29dd67838 100644 --- a/cms/static/js/views/learning_info.js +++ b/cms/static/js/views/learning_info.js @@ -5,9 +5,10 @@ define([ 'underscore', 'backbone', 'gettext', - 'js/utils/templates' + 'js/utils/templates', + 'edx-ui-toolkit/js/utils/html-utils' ], -function($, _, Backbone, gettext, TemplateUtils) { +function($, _, Backbone, gettext, TemplateUtils, HtmlUtils) { 'use strict'; var LearningInfoView = Backbone.View.extend({ @@ -33,7 +34,12 @@ function($, _, Backbone, gettext, TemplateUtils) { var self = this; var learning_information = this.model.get('learning_info'); $.each(learning_information, function(index, info) { - $(self.el).append(self.template({index: index, info: info, info_count: learning_information.length})); + var attributes = { + index: index, + info: info, + info_count: learning_information.length + }; + $(self.el).append(HtmlUtils.HTML(self.template(attributes)).toString()); }); }, diff --git a/cms/static/js/views/list_item.js b/cms/static/js/views/list_item.js index e51c9caede..22327ebbc7 100644 --- a/cms/static/js/views/list_item.js +++ b/cms/static/js/views/list_item.js @@ -12,9 +12,10 @@ * to the DOM. */ define([ - 'js/views/baseview', 'jquery', 'gettext', 'common/js/components/utils/view_utils' + 'js/views/baseview', 'jquery', 'gettext', + 'common/js/components/utils/view_utils', 'edx-ui-toolkit/js/utils/html-utils' ], function( - BaseView, $, gettext, ViewUtils + BaseView, $, gettext, ViewUtils, HtmlUtils ) { 'use strict'; @@ -81,7 +82,7 @@ define([ this.view = this.createDetailsView(); } - this.$el.html(this.view.render().el); + this.$el.html(HtmlUtils.HTML(this.view.render().el).toString()); return this; } diff --git a/lms/templates/ccx/coach_dashboard.html b/lms/templates/ccx/coach_dashboard.html index 498a8d583a..0fb54c5848 100644 --- a/lms/templates/ccx/coach_dashboard.html +++ b/lms/templates/ccx/coach_dashboard.html @@ -129,8 +129,9 @@ from openedx.core.djangolib.js_utils import ( studentId = $('', { type: 'hidden', name: 'student-id', - value: selectedStudent + value: edx.HtmlUtils.ensureHtml(selectedStudent) }); + // xss-lint: disable=javascript-jquery-append form.append(action, studentId).submit(); } }); @@ -153,7 +154,7 @@ from openedx.core.djangolib.js_utils import ( $errorMessage.show(); return false; } else if (hasCcxConnector) { - $errorMessage.html('${use_ccx_con_error_message | n, js_escaped_string}'); + $errorMessage.text('${use_ccx_con_error_message | n, js_escaped_string}'); $errorMessage.show(); return false; } diff --git a/lms/templates/components/card/card.underscore b/lms/templates/components/card/card.underscore index 178d102b29..06e8483ea0 100644 --- a/lms/templates/components/card/card.underscore +++ b/lms/templates/components/card/card.underscore @@ -6,7 +6,7 @@ <% } %>

- aria-describedby="<%= srInfo.id %>" + aria-describedby="<%- srInfo.id %>" <% } %> ><%- title %>

@@ -17,7 +17,8 @@
- <%= action_content %> + <% // xss-lint: disable=underscore-not-escaped %> + <%= action_content %>
<% } else { %> @@ -28,14 +29,15 @@ <% } %>

- aria-describedby="<%= srInfo.id %>" + aria-describedby="<%- srInfo.id %>" <% } %> ><%- title %>

<%- description %>

- <%= action_content %> + <% // xss-lint: disable=underscore-not-escaped %> + <%= action_content %>
diff --git a/lms/templates/edxnotes/note-item.underscore b/lms/templates/edxnotes/note-item.underscore index 941127984f..2ed78b7d34 100644 --- a/lms/templates/edxnotes/note-item.underscore +++ b/lms/templates/edxnotes/note-item.underscore @@ -18,6 +18,7 @@

  • <%- gettext("You commented...") %>

    + <% // xss-lint: disable=underscore-not-escaped %> <%= interpolate_text(_.escape(text), { elasticsearch_highlight_start: '', elasticsearch_highlight_end: '' @@ -32,7 +33,7 @@

    <%- gettext("Noted in:") %>

    <% if (unit.url) { %> - <%- unit.display_name %> + <%- unit.display_name %> <% } else { %> <%- unit.display_name %> <% } %> @@ -44,6 +45,7 @@

    <%- gettext("Tags:") %>

    <% for (var i = 0; i < tags.length; i++) { %> + <% // xss-lint: disable=underscore-not-escaped %> <%= interpolate_text(_.escape(tags[i]), { elasticsearch_highlight_start: '', elasticsearch_highlight_end: '' diff --git a/lms/templates/edxnotes/tab-item.underscore b/lms/templates/edxnotes/tab-item.underscore index 91b6de9814..86530d1cd8 100644 --- a/lms/templates/edxnotes/tab-item.underscore +++ b/lms/templates/edxnotes/tab-item.underscore @@ -1,7 +1,7 @@ <% var hasIcon = icon ? 1 : 0; %> - <% if (hasIcon) { %> <% } %><%- gettext(name) %> + <% if (hasIcon) { %> <% } %><%- gettext(name) %> <% if (is_closable) { %> diff --git a/lms/templates/fields/field_image.underscore b/lms/templates/fields/field_image.underscore index 79c422ed30..07ce9cf3e7 100644 --- a/lms/templates/fields/field_image.underscore +++ b/lms/templates/fields/field_image.underscore @@ -1,16 +1,18 @@
    - <%=imageAltText%> + <%-imageAltText%>
    - +
    diff --git a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore index 1052b32bc6..88b3c77397 100644 --- a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore +++ b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore @@ -12,7 +12,7 @@ <%- is_registration_code_valid %> <% _.each(actions, function(action){ %> - + <%- action.action_name %> <% }); %> diff --git a/lms/templates/learner_dashboard/program_card.underscore b/lms/templates/learner_dashboard/program_card.underscore index 11c474b5ae..de98c952dd 100644 --- a/lms/templates/learner_dashboard/program_card.underscore +++ b/lms/templates/learner_dashboard/program_card.underscore @@ -57,7 +57,7 @@ - +
    diff --git a/lms/templates/video.html b/lms/templates/video.html index d475106cab..51fcddd3ea 100644 --- a/lms/templates/video.html +++ b/lms/templates/video.html @@ -2,7 +2,9 @@ <%! from django.utils.translation import ugettext as _ -from openedx.core.djangolib.js_utils import js_escaped_string +from openedx.core.djangolib.js_utils import ( + dump_js_escaped_json, js_escaped_string +) %> % if display_name is not UNDEFINED and display_name is not None:

    ${display_name}

    @@ -98,14 +100,14 @@ from openedx.core.djangolib.js_utils import js_escaped_string var salt = Math.floor((1 + Math.random()) * 0x100000).toString(36); var id = "${id | n, js_escaped_string}"; function initializeCDNExperiment() { - sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, "", "load"); + sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, "", "load"); cdnStartTime = Date.now(); $.each(['loadstart', 'abort', 'error', 'stalled', 'loadedmetadata', 'loadeddata', 'canplay', 'canplaythrough', 'seeked'], function(index, eventName) { $("#video_" + id).bind("html5:" + eventName, null, function() { timeElapsed = Date.now() - cdnStartTime; - sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, timeElapsed, eventName); + sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, timeElapsed, eventName); }); }); }