Merge pull request #23969 from edx/aehsan/PROD-1579/fixed_quality_violation

Fixed xss lint violations
2020-05-13 06:39:01 +05:00
parent dfa1bf158b 3da5144fee
commit 5f26cde55f
3 changed files with 13 additions and 7 deletions
--- a/lms/templates/modal/_modal-settings-language.html
+++ b/lms/templates/modal/_modal-settings-language.html
@@ -1,5 +1,7 @@
+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
 <%!
+from openedx.core.djangolib.markup import HTML, Text
 from django.utils.translation import ugettext as _
 from django.urls import reverse
 %>
@@ -53,12 +55,12 @@ from django.urls import reverse

      <ul class="list list-actions actions-supplemental">
        <li class="list-actions-item">
-        ${_("Don't see your preferred language? {link_start}Volunteer to become a translator!{link_end}").format(
-          link_start='<a class=" action action-volunteer" rel="external" target="_blank" href={translators_guide}>'.format(
-            translators_guide=settings.TRANSLATORS_GUIDE
-          ),
-          link_end="</a>"
-        )}
+        ${Text(_("Don't see your preferred language? {link_start}Volunteer to become a translator!{link_end}")).format(
+            link_start=HTML('<a class=" action action-volunteer" rel="external" target="_blank"\
+                              href={translators_guide}>').format(translators_guide=settings.TRANSLATORS_GUIDE),
+            link_end=HTML("</a>")
+            )
+        }
        </li>
      </ul>
    </div>
--- a/lms/templates/wiki/plugins/attachments/index.html
+++ b/lms/templates/wiki/plugins/attachments/index.html
@@ -61,6 +61,7 @@


  <div class="attachment-list">
+    # xss-lint: disable=django-trans-missing-escape
    <!--<p class="lead">{% trans "The following files are available for this article. Copy the markdown tag to directly refer to a file from the article text." %}</p>-->
    <ul>
      {% for attachment in attachments %}
--- a/openedx/core/djangoapps/schedules/templates/dropdown_filter.html
+++ b/openedx/core/djangoapps/schedules/templates/dropdown_filter.html
@@ -1,5 +1,8 @@
 {% load i18n %}
-<h3>{% blocktrans with filter_title=title %} By {{ filter_title }} {% endblocktrans %}</h3>
+<h3>{% filter force_escape %}
+    {% blocktrans with filter_title=title %} By {{ filter_title }} {% endblocktrans %}
+    {% endfilter %}
+</h3>
 <form method="GET">
    {% for name, param in spec.unused_parameters.items %}
    <input type="hidden" name="{{ name }}" value="{{ param }}"/>