From 6887ab1c260501e50e07547bb1a827dc189bd16f Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 12:36:08 +0500
Subject: [PATCH 01/12] Fix xss in course handout template

PROD-2002
---
 cms/templates/js/course_info_handouts.underscore | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/cms/templates/js/course_info_handouts.underscore b/cms/templates/js/course_info_handouts.underscore
index 16d48118da..dfa78587dd 100644
--- a/cms/templates/js/course_info_handouts.underscore
+++ b/cms/templates/js/course_info_handouts.underscore
@@ -1,22 +1,22 @@
-<a href="#" class="edit-button"><span class="edit-icon"></span><%= gettext("Edit") %></a>
+<a href="#" class="edit-button"><span class="edit-icon"></span><%- gettext("Edit") %></a>
 
-<h2 class="title"><%= gettext("Course Handouts") %></h2>
+<h2 class="title"><%- gettext("Course Handouts") %></h2>
 <%if (model.get('data') != null) { %>
   <div class="handouts-content">
 
   </div>
 <% } else {%>
-  <p><%= gettext("You have no handouts defined") %></p>
+  <p><%- gettext("You have no handouts defined") %></p>
 <% } %>
 <form class="edit-handouts-form" style="display: block;">
   <div class="message message-status error" name="handout_html_error" id="handout_error">
-    <%= gettext("There is invalid code in your content. Please check to make sure it is valid HTML.") %>
+    <%- gettext("There is invalid code in your content. Please check to make sure it is valid HTML.") %>
   </div>
   <div class="row">
     <textarea class="handouts-content-editor text-editor"></textarea>
   </div>
   <div class="row">
-    <a href="#" class="save-button"><%= gettext("Save") %></a>
-    <a href="#" class="cancel-button"><%= gettext("Cancel") %></a>
+    <a href="#" class="save-button"><%- gettext("Save") %></a>
+    <a href="#" class="cancel-button"><%- gettext("Cancel") %></a>
   </div>
 </form>

From 643736e6130b9abcbe664270f776d5793cc44763 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 12:38:37 +0500
Subject: [PATCH 02/12] Fix xss in signatories templates

PROD-2010
---
 cms/templates/js/signatory-actions.underscore | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cms/templates/js/signatory-actions.underscore b/cms/templates/js/signatory-actions.underscore
index e0c4ab60c5..08c65d0ce1 100644
--- a/cms/templates/js/signatory-actions.underscore
+++ b/cms/templates/js/signatory-actions.underscore
@@ -1,6 +1,6 @@
 <div class="collection-edit">
     <div class="actions custom-signatory-action">
-            <button class="signatory-panel-save action action-primary" type="submit"><%= gettext("Save") %></button>
-            <button class="signatory-panel-close action action-secondary action-cancel"><%= gettext("Cancel") %></button>
+            <button class="signatory-panel-save action action-primary" type="submit"><%- gettext("Save") %></button>
+            <button class="signatory-panel-close action action-secondary action-cancel"><%- gettext("Cancel") %></button>
     </div>
 </div>

From e890ec6dd5136028ddbbbe46597d684d2977b5d5 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 12:52:27 +0500
Subject: [PATCH 03/12] Fix xss in team member template

PROD-2009
---
 cms/templates/js/team-member.underscore | 30 ++++++++++++-------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/cms/templates/js/team-member.underscore b/cms/templates/js/team-member.underscore
index afd20271b8..ec9fb356cf 100644
--- a/cms/templates/js/team-member.underscore
+++ b/cms/templates/js/team-member.underscore
@@ -1,11 +1,11 @@
-<li class="user-item" data-email="<%= user.email %>">
+<li class="user-item" data-email="<%- user.email %>">
     <span class="wrapper-ui-badge">
-    <span class="flag flag-role flag-role-<%= user.role %> is-hanging">
-      <span class="label sr"><%= gettext("Current Role:") %></span>
+    <span class="flag flag-role flag-role-<%- user.role %> is-hanging">
+      <span class="label sr"><%- gettext("Current Role:") %></span>
       <span class="value">
-        <%= roles[user.role] %>
+        <%- roles[user.role] %>
         <% if (is_current_user) { %>
-            <span class="msg-you"><%= gettext("You!") %></span>
+            <span class="msg-you"><%- gettext("You!") %></span>
         <% } %>
       </span>
     </span>
@@ -13,11 +13,11 @@
 
     <div class="item-metadata">
     <h3 class="user-name">
-      <span class="user-username"><%= user.username %></span>
+      <span class="user-username"><%- user.username %></span>
       <span class="user-email">
-        <a class="action action-email" href="mailto:<%= user.email %>"
-                title="<%= viewHelpers.format(gettext("send an email message to {email}"), {email: user.email})%>">
-            <%= user.email %>
+        <a class="action action-email" href="mailto:<%- user.email %>"
+                title="<%- viewHelpers.format(gettext("send an email message to {email}"), {email: user.email})%>">
+            <%- user.email %>
         </a>
       </span>
     </h3>
@@ -29,19 +29,19 @@
         <% for (var i=0; i < actions.length; i++) { %>
             <% var action = actions[i]; %>
                 <% if (action.notoggle) { %>
-                    <span class="admin-role notoggleforyou"><%= gettext("Promote another member to Admin to remove your admin rights") %></span>
+                    <span class="admin-role notoggleforyou"><%- gettext("Promote another member to Admin to remove your admin rights") %></span>
                 <% } else { %>
-                    <a href="#" class="make-<%= action.to_role %> admin-role <%= action.direction %>-admin-role">
+                    <a href="#" class="make-<%- action.to_role %> admin-role <%- action.direction %>-admin-role">
                         <% var template = (action.direction === 'add') ? gettext("Add {role} Access") : gettext("Remove {role} Access"); %>
-                        <%= viewHelpers.format(template, {role: action.label}) %></span>
+                        <%- viewHelpers.format(template, {role: action.label}) %></span>
                     </a>
                 <% } %>
         <% } %>
         </li>
-        <li class="action action-delete <%=!allow_delete ? "is-disabled" : "" %> aria-disabled="<%=!allow_delete%>">
-            <a href="#" class="delete remove-user action-icon" data-id="<%= user.email %>">
+        <li class="action action-delete <%-!allow_delete ? "is-disabled" : "" %> aria-disabled="<%-!allow_delete%>">
+            <a href="#" class="delete remove-user action-icon" data-id="<%- user.email %>">
                 <span class="icon fa fa-trash-o" aria-hidden="true"></span>
-                <span class="sr"><%= viewHelpers.format(gettext("Delete the user, {username}"), {username:user.username}) %></span>
+                <span class="sr"><%- viewHelpers.format(gettext("Delete the user, {username}"), {username:user.username}) %></span>
             </a>
         </li>
     </ul>

From 103a4f20a6c076d97c8a995c717e107066681890 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 12:56:30 +0500
Subject: [PATCH 04/12] Fix xss in transcript template

PROD-2012
---
 .../transcripts-use-existing.underscore        | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore b/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore
index c884e8bf23..64c81664c4 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore
@@ -1,16 +1,16 @@
 <div class="transcripts-message-status status-error">
     <span class="icon fa fa-remove" aria-hidden="true"></span>
-    <%= gettext("Confirm Timed Transcript") %>
+    <%- gettext("Confirm Timed Transcript") %>
 </div>
 
 <p class="transcripts-message">
-    <%= gettext("You changed a video URL, but did not change the timed transcript file. Do you want to use the current timed transcript or upload a new .srt transcript file?") %>
+    <%- gettext("You changed a video URL, but did not change the timed transcript file. Do you want to use the current timed transcript or upload a new .srt transcript file?") %>
 </p>
 
 <div class="transcripts-file-uploader"></div>
 
 <p class="transcripts-error-message is-invisible">
-    <%= gettext("Error.") %>
+    <%- gettext("Error.") %>
 </p>
 
 <div class="wrapper-transcripts-buttons">
@@ -18,22 +18,22 @@
         class="action setting-use-existing"
         type="button"
         name="setting-use-existing"
-        value="<%= gettext("Use Current Transcript") %>"
-        data-tooltip="<%= gettext("Use Current Transcript") %>"
+        value="<%- gettext("Use Current Transcript") %>"
+        data-tooltip="<%- gettext("Use Current Transcript") %>"
     >
         <span>
-            <%= gettext("Use Current Transcript") %>
+            <%- gettext("Use Current Transcript") %>
         </span>
     </button>
     <button
         class="action setting-upload"
         type="button"
         name="setting-upload"
-        value="<%= gettext("Upload New Transcript") %>"
-        data-tooltip="<%= gettext("Upload New Transcript") %>"
+        value="<%- gettext("Upload New Transcript") %>"
+        data-tooltip="<%- gettext("Upload New Transcript") %>"
     >
         <span>
-            <%= gettext("Upload New Transcript") %>
+            <%- gettext("Upload New Transcript") %>
         </span>
     </button>
 </div>

From ef014f5d7f05b1a746f7bb518cf3d7a61f8950f5 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:00:30 +0500
Subject: [PATCH 05/12] Fix xss in transcript upload template

PROD-2014
---
 .../messages/transcripts-uploaded.underscore       | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore b/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore
index 4740d280e5..5f93f1d28c 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore
@@ -1,16 +1,16 @@
-<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%= gettext("Timed Transcript Uploaded Successfully") %></div>
+<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%- gettext("Timed Transcript Uploaded Successfully") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX has a timed transcript for this video. If you want to replace this transcript, upload a new .srt transcript file. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript.") %>
+<%- gettext("EdX has a timed transcript for this video. If you want to replace this transcript, upload a new .srt transcript file. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New Transcript") %>">
-        <span><%= gettext("Upload New Transcript") %></span>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New Transcript") %>">
+        <span><%- gettext("Upload New Transcript") %></span>
     </button>
-    <a class="action setting-download" href="/transcripts/download?locator=<%= component_locator %>" data-tooltip="<%= gettext("Download Transcript for Editing") %>">
-        <span><%= gettext("Download Transcript for Editing") %></span>
+    <a class="action setting-download" href="/transcripts/download?locator=<%- component_locator %>" data-tooltip="<%- gettext("Download Transcript for Editing") %>">
+        <span><%- gettext("Download Transcript for Editing") %></span>
     </a>
 </div>

From 57823e16dccc841accc254c2eaeea47fd3d402bc Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:04:48 +0500
Subject: [PATCH 06/12] fix xss in transcript import template

PROD-2018
---
 .../messages/transcripts-import.underscore         | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cms/templates/js/video/transcripts/messages/transcripts-import.underscore b/cms/templates/js/video/transcripts/messages/transcripts-import.underscore
index 7cc544488c..5229466112 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-import.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-import.underscore
@@ -1,16 +1,16 @@
-<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%= gettext("No EdX Timed Transcript") %></div>
+<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%- gettext("No EdX Timed Transcript") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX doesn't have a timed transcript for this video in Studio, but we found a transcript on YouTube. You can import the YouTube transcript or upload your own .srt transcript file.") %>
+<%- gettext("EdX doesn't have a timed transcript for this video in Studio, but we found a transcript on YouTube. You can import the YouTube transcript or upload your own .srt transcript file.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-import" type="button" name="setting-import" value="<%= gettext("Import YouTube Transcript") %>" data-tooltip="<%= gettext("Import YouTube Transcript") %>">
-        <span><%= gettext("Import YouTube Transcript") %></span>
+    <button class="action setting-import" type="button" name="setting-import" value="<%- gettext("Import YouTube Transcript") %>" data-tooltip="<%- gettext("Import YouTube Transcript") %>">
+        <span><%- gettext("Import YouTube Transcript") %></span>
     </button>
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New .srt Transcript") %>">
-        <span><%= gettext("Upload New Transcript") %></span>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New .srt Transcript") %>">
+        <span><%- gettext("Upload New Transcript") %></span>
     </button>
 </div>

From 4481908b020aa209b85fa30193be0e66b67f15dc Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:06:35 +0500
Subject: [PATCH 07/12] fix xss in edit section template

PROD-2011
---
 cms/templates/js/section-name-edit.underscore | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cms/templates/js/section-name-edit.underscore b/cms/templates/js/section-name-edit.underscore
index cfbd64fffe..97034f1e55 100644
--- a/cms/templates/js/section-name-edit.underscore
+++ b/cms/templates/js/section-name-edit.underscore
@@ -1,5 +1,5 @@
 <form class="section-name-edit">
-    <input type="text" value="<%= name %>" autocomplete="off"/>
-    <input type="submit" class="save-button" value="<%= gettext("Save") %>" />
-    <input type="button" class="cancel-button" value="<%= gettext("Cancel") %>" />
+    <input type="text" value="<%- name %>" autocomplete="off"/>
+    <input type="submit" class="save-button" value="<%- gettext("Save") %>" />
+    <input type="button" class="cancel-button" value="<%- gettext("Cancel") %>" />
 </form>

From ec5a1be52b01ec21d8fe08719d0d83f2e05fc1ac Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:08:43 +0500
Subject: [PATCH 08/12] fix xss in transcript replace template

PROD-2013
---
 .../messages/transcripts-replace.underscore        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore b/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore
index fa63c200b6..ddd91aa1d5 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore
@@ -1,17 +1,17 @@
 <div class="transcripts-message-status status-error">
     <span class="icon fa fa-remove" aria-hidden="true"></span>
-    <%= gettext("Timed Transcript Conflict") %>
+    <%- gettext("Timed Transcript Conflict") %>
 </div>
 
 <p class="transcripts-message">
-    <%= gettext("The timed transcript for this video on edX is out of date, but YouTube has a current timed transcript for this video.") %>
+    <%- gettext("The timed transcript for this video on edX is out of date, but YouTube has a current timed transcript for this video.") %>
     <strong>
-        <%= gettext("Do you want to replace the edX transcript with the YouTube transcript?") %>
+        <%- gettext("Do you want to replace the edX transcript with the YouTube transcript?") %>
     </strong>
 </p>
 
 <p class="transcripts-error-message is-invisible">
-    <%= gettext("Error.") %>
+    <%- gettext("Error.") %>
 </p>
 
 <div class="wrapper-transcripts-buttons">
@@ -19,11 +19,11 @@
         class="action setting-replace"
         type="button"
         name="setting-replace"
-        value="<%= gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
-        data-tooltip="<%= gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
+        value="<%- gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
+        data-tooltip="<%- gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
     >
         <span>
-            <%= gettext("Yes, replace the edX transcript with the YouTube transcript") %>
+            <%- gettext("Yes, replace the edX transcript with the YouTube transcript") %>
         </span>
     </button>
 </div>

From 636240a4000b36822b36368468cd1b6a5d24796b Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:11:43 +0500
Subject: [PATCH 09/12] fix xss in metadata template

PROD-2015
---
 cms/templates/js/metadata-string-entry.underscore | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cms/templates/js/metadata-string-entry.underscore b/cms/templates/js/metadata-string-entry.underscore
index 538528afc2..d2946818b2 100644
--- a/cms/templates/js/metadata-string-entry.underscore
+++ b/cms/templates/js/metadata-string-entry.underscore
@@ -1,8 +1,8 @@
 <div class="wrapper-comp-setting">
-	<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name') %></label>
-	<input class="input setting-input" type="text" id="<%= uniqueId %>" value='<%= model.get("value") %>'/>
-	<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
-        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
+	<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name') %></label>
+	<input class="input setting-input" type="text" id="<%- uniqueId %>" value='<%- model.get("value") %>'/>
+	<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
+        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
     </button>
 </div>
-<span class="tip setting-help"><%= model.get('help') %></span>
+<span class="tip setting-help"><%- model.get('help') %></span>

From 1c737b3dd9df9ecef5a0b96ce020f4551838406b Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:17:38 +0500
Subject: [PATCH 10/12] fix xblock outline template

PROD-2019
---
 cms/templates/js/xblock-outline.underscore | 36 +++++++++++-----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/cms/templates/js/xblock-outline.underscore b/cms/templates/js/xblock-outline.underscore
index 59ee9a9816..0312389fbf 100644
--- a/cms/templates/js/xblock-outline.underscore
+++ b/cms/templates/js/xblock-outline.underscore
@@ -1,13 +1,13 @@
 <% if (parentInfo) { %>
-<li class="outline-item outline-item-<%= xblockType %> <%= includesChildren ? 'is-collapsible' : '' %> is-draggable <%= isCollapsed ? 'is-collapsed' : '' %>"
-    data-parent="<%= parentInfo.get('id') %>" data-locator="<%= xblockInfo.get('id') %>">
+<li class="outline-item outline-item-<%- xblockType %> <%- includesChildren ? 'is-collapsible' : '' %> is-draggable <%- isCollapsed ? 'is-collapsed' : '' %>"
+    data-parent="<%- parentInfo.get('id') %>" data-locator="<%- xblockInfo.get('id') %>">
     <span class="draggable-drop-indicator draggable-drop-indicator-before"><span class="icon fa fa-caret-right" aria-hidden="true"></span></span>
 
     <div class="wrapper-xblock-header">
         <div class="wrapper-xblock-header-primary">
             <% if (includesChildren) { %>
-                <h3 class="xblock-title expand-collapse <%= isCollapsed ? 'expand' : 'collapse' %>"
-                    title="<%= interpolate(
+                <h3 class="xblock-title expand-collapse <%- isCollapsed ? 'expand' : 'collapse' %>"
+                    title="<%- interpolate(
                           gettext('Collapse/Expand this %(xblock_type)s'), { xblock_type: xblockTypeDisplayName }, true
                     ) %>"
                 >
@@ -17,7 +17,7 @@
             <% } %>
 
                 <% if (xblockInfo.get('studio_url') && xblockInfo.get('category') !== 'chapter') { %>
-                    <a href="<%= xblockInfo.get('studio_url') %>"><%- xblockInfo.get('display_name') %></a>
+                    <a href="<%- xblockInfo.get('studio_url') %>"><%- xblockInfo.get('display_name') %></a>
                 <% } else { %>
                     <span class="wrapper-xblock-field is-editable" data-field="display_name">
                         <span class="xblock-field-value"><%- xblockInfo.get('display_name') %></span>
@@ -28,9 +28,9 @@
             <div class="item-actions">
                 <ul class="actions-list">
                     <li class="action-item action-delete">
-                        <a href="#" data-tooltip="<%= gettext('Delete') %>" class="delete-button action-button">
+                        <a href="#" data-tooltip="<%- gettext('Delete') %>" class="delete-button action-button">
                             <span class="icon fa fa-remove" aria-hidden="true"></span>
-                            <span class="sr"><%= gettext('Delete') %></span>
+                            <span class="sr"><%- gettext('Delete') %></span>
                         </a>
                     </li>
                 </ul>
@@ -40,7 +40,7 @@
             <% if (xblockInfo.get('release_date')) { %>
                 <div class="meta-info">
                     <span class="icon fa fa-clock-o" aria-hidden="true"></span>
-                    <%= gettext('Released:') %> <%= xblockInfo.get('release_date') %>
+                    <%- gettext('Released:') %> <%- xblockInfo.get('release_date') %>
                 </div>
             <% } %>
 
@@ -54,30 +54,30 @@
 <% } %>
     <% if (!parentInfo && xblockInfo.get('child_info') && xblockInfo.get('child_info').children.length === 0) { %>
         <div class="no-content add-xblock-component">
-            <p><%= gettext("You haven't added any content to this course yet.") %>
-                <a href="#" class="button button-new" data-category="<%= childCategory %>"
-                   data-parent="<%= xblockInfo.get('id') %>" data-default-name="<%= defaultNewChildName %>"
-                   title="<%= interpolate(
+            <p><%- gettext("You haven't added any content to this course yet.") %>
+                <a href="#" class="button button-new" data-category="<%- childCategory %>"
+                   data-parent="<%- xblockInfo.get('id') %>" data-default-name="<%- defaultNewChildName %>"
+                   title="<%- interpolate(
                          gettext('Click to add a new %(xblock_type)s'), { xblock_type: defaultNewChildName }, true
                    ) %>"
                 >
-                    <span class="icon fa fa-plus" aria-hidden="true"></span><%= addChildLabel %>
+                    <span class="icon fa fa-plus" aria-hidden="true"></span><%- addChildLabel %>
                 </a>
             </p>
         </div>
     <% } else { %>
-        <ol class="sortable-list sortable-<%= xblockType %>-list">
+        <ol class="sortable-list sortable-<%- xblockType %>-list">
         </ol>
 
         <% if (childType) { %>
             <div class="add-xblock-component">
-                <a href="#" class="button button-new" data-category="<%= childCategory %>"
-                   data-parent="<%= xblockInfo.get('id') %>" data-default-name="<%= defaultNewChildName %>"
-                   title="<%= interpolate(
+                <a href="#" class="button button-new" data-category="<%- childCategory %>"
+                   data-parent="<%- xblockInfo.get('id') %>" data-default-name="<%- defaultNewChildName %>"
+                   title="<%- interpolate(
                          gettext('Click to add a new %(xblock_type)s'), { xblock_type: defaultNewChildName }, true
                    ) %>"
                 >
-                    <span class="icon fa fa-plus" aria-hidden="true"></span><%= addChildLabel %>
+                    <span class="icon fa fa-plus" aria-hidden="true"></span><%- addChildLabel %>
                 </a>
             </div>
         <% } %>

From ffd585cfab9f9b38f8798ea98bf26e3d2293daa0 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:19:46 +0500
Subject: [PATCH 11/12] fix xss in grading editor template

PROD-2024
---
 cms/templates/js/grading-editor.underscore | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cms/templates/js/grading-editor.underscore b/cms/templates/js/grading-editor.underscore
index 7db05aa5ff..243de60361 100644
--- a/cms/templates/js/grading-editor.underscore
+++ b/cms/templates/js/grading-editor.underscore
@@ -1,12 +1,12 @@
-<h3 class="modal-section-title"><%= gettext('Grading') %></h3>
+<h3 class="modal-section-title"><%- gettext('Grading') %></h3>
 <div class="modal-section-content grading-type">
     <ul class="list-fields list-input">
         <li class="field field-grading-type field-select">
-            <label for="grading_type" class="label"><%= gettext('Grade as:') %></label>
+            <label for="grading_type" class="label"><%- gettext('Grade as:') %></label>
             <select class="input" id="grading_type">
-                <option value="notgraded"><%= gettext('Not Graded') %></option>
+                <option value="notgraded"><%- gettext('Not Graded') %></option>
                 <% _.each(graderTypes, function(grader) { %>
-                  <option value="<%= grader %>"><%= grader %></option>
+                  <option value="<%- grader %>"><%- grader %></option>
                 <% }); %>
             </select>
         </li>

From 8ba1d522df261e1c80d4828ec8f7d80f2e59afec Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Fri, 21 Aug 2020 13:31:49 +0500
Subject: [PATCH 12/12] fix xss in transcript not found template

PROD-2017
---
 .../messages/transcripts-not-found.underscore      | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore b/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore
index 6bb74c635e..daa33a1f69 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore
@@ -1,16 +1,16 @@
-<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%= gettext("No Timed Transcript") %></div>
+<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%- gettext("No Timed Transcript") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX doesn\'t have a timed transcript for this video. Please upload an .srt file.") %>
+<%- gettext("EdX doesn\'t have a timed transcript for this video. Please upload an .srt file.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New Transcript") %>">
-        <%= gettext("Upload New Transcript") %>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New Transcript") %>">
+        <%- gettext("Upload New Transcript") %>
     </button>
-    <a class="action setting-download is-disabled" aria-disabled="true" href="javascropt: void(0);" data-tooltip="<%= gettext("Download Transcript for Editing") %>">
-        <%= gettext("Download Transcript for Editing") %>
+    <a class="action setting-download is-disabled" aria-disabled="true" href="javascropt: void(0);" data-tooltip="<%- gettext("Download Transcript for Editing") %>">
+        <%- gettext("Download Transcript for Editing") %>
     </a>
 </div>