From e53e5d9d031193c6f47cc1b84d6f1ce39633e3ca Mon Sep 17 00:00:00 2001
From: Ned Batchelder <ned@edx.org>
Date: Wed, 23 Mar 2016 14:35:51 -0400
Subject: [PATCH] Safe templates for static_templates

---
 lms/templates/static_templates/404.html          | 12 +++++++++---
 lms/templates/static_templates/about.html        |  1 +
 lms/templates/static_templates/blog.html         |  1 +
 lms/templates/static_templates/contact.html      |  1 +
 lms/templates/static_templates/donate.html       |  1 +
 lms/templates/static_templates/embargo.html      | 12 ++++++++----
 lms/templates/static_templates/faq.html          |  1 +
 lms/templates/static_templates/help.html         |  1 +
 lms/templates/static_templates/honor.html        |  1 +
 lms/templates/static_templates/jobs.html         |  1 +
 lms/templates/static_templates/media-kit.html    |  1 +
 lms/templates/static_templates/news.html         |  1 +
 lms/templates/static_templates/press.html        |  1 +
 lms/templates/static_templates/privacy.html      |  1 +
 lms/templates/static_templates/server-down.html  | 16 ++++++++++------
 lms/templates/static_templates/server-error.html | 16 ++++++++++------
 .../static_templates/server-overloaded.html      | 16 ++++++++++------
 lms/templates/static_templates/tos.html          |  1 +
 18 files changed, 60 insertions(+), 25 deletions(-)

diff --git a/lms/templates/static_templates/404.html b/lms/templates/static_templates/404.html
index 19aae979e1..5929f6910b 100644
--- a/lms/templates/static_templates/404.html
+++ b/lms/templates/static_templates/404.html
@@ -1,12 +1,18 @@
+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
-<%! from django.utils.translation import ugettext as _ %>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>
 <%inherit file="../main.html" />
 
 <%block name="pagetitle">${_("Page Not Found")}</%block>
 
 <section class="outside-app">
 <h1>${_("Page not found")}</h1>
-<p>${_('The page that you were looking for was not found. Go back to the {link_start}homepage{link_end} or let us know about any pages that may have been moved at {email}.').format(
-    link_start='<a href="/">', link_end='</a>', email='<a href="mailto:{email}">{email}</a>'.format(email=static.get_tech_support_email_address())
+<p>${Text(_('The page that you were looking for was not found. Go back to the {link_start}homepage{link_end} or let us know about any pages that may have been moved at {email}.')).format(
+    link_start=HTML('<a href="/">'),
+    link_end=HTML('</a>'),
+    email=HTML('<a href="mailto:{email}">{email}</a>').format(email=Text(static.get_tech_support_email_address()))
   )}</p>
 </section>
diff --git a/lms/templates/static_templates/about.html b/lms/templates/static_templates/about.html
index fab4f3ef1d..33dc300327 100644
--- a/lms/templates/static_templates/about.html
+++ b/lms/templates/static_templates/about.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/blog.html b/lms/templates/static_templates/blog.html
index 5f7608ceb9..d5b64246c1 100644
--- a/lms/templates/static_templates/blog.html
+++ b/lms/templates/static_templates/blog.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/contact.html b/lms/templates/static_templates/contact.html
index e9b831e3f5..2306938322 100644
--- a/lms/templates/static_templates/contact.html
+++ b/lms/templates/static_templates/contact.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/donate.html b/lms/templates/static_templates/donate.html
index abf2ce107e..7f807557b0 100644
--- a/lms/templates/static_templates/donate.html
+++ b/lms/templates/static_templates/donate.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/embargo.html b/lms/templates/static_templates/embargo.html
index f10ba08e6c..7eb4ecb302 100644
--- a/lms/templates/static_templates/embargo.html
+++ b/lms/templates/static_templates/embargo.html
@@ -1,16 +1,20 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>
 <%inherit file="../main.html" />
 
 <%block name="pagetitle">${_("This Course Unavailable In Your Country")}</%block>
 
 <section class="outside-app">
 <p>
-${_("Our system indicates that you are trying to access this {platform_name} "
+${Text(_("Our system indicates that you are trying to access this {platform_name} "
     "course from a country or region currently subject to U.S. economic and trade "
     "sanctions. Unfortunately, at this time {platform_name} must comply with "
     "export controls, and we cannot allow you to access this course."
-  ).format(
-    platform_name=settings.PLATFORM_NAME,
+  )).format(
+    platform_name=Text(settings.PLATFORM_NAME),
   )}
 </p>
 </section>
diff --git a/lms/templates/static_templates/faq.html b/lms/templates/static_templates/faq.html
index 13fa3d3b9d..8bc016092e 100644
--- a/lms/templates/static_templates/faq.html
+++ b/lms/templates/static_templates/faq.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/help.html b/lms/templates/static_templates/help.html
index 1583ecef06..49c27fd86a 100644
--- a/lms/templates/static_templates/help.html
+++ b/lms/templates/static_templates/help.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/honor.html b/lms/templates/static_templates/honor.html
index dce2cea2d2..8659528eb5 100644
--- a/lms/templates/static_templates/honor.html
+++ b/lms/templates/static_templates/honor.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/jobs.html b/lms/templates/static_templates/jobs.html
index ec908d70b7..0b1c9f1e28 100644
--- a/lms/templates/static_templates/jobs.html
+++ b/lms/templates/static_templates/jobs.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/media-kit.html b/lms/templates/static_templates/media-kit.html
index f0c023c951..3fd01e0e0d 100644
--- a/lms/templates/static_templates/media-kit.html
+++ b/lms/templates/static_templates/media-kit.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />
 
diff --git a/lms/templates/static_templates/news.html b/lms/templates/static_templates/news.html
index 4790150dd0..7b5737783e 100644
--- a/lms/templates/static_templates/news.html
+++ b/lms/templates/static_templates/news.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <%inherit file="../main.html" />
diff --git a/lms/templates/static_templates/press.html b/lms/templates/static_templates/press.html
index 4790150dd0..7b5737783e 100644
--- a/lms/templates/static_templates/press.html
+++ b/lms/templates/static_templates/press.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <%inherit file="../main.html" />
diff --git a/lms/templates/static_templates/privacy.html b/lms/templates/static_templates/privacy.html
index fafe846de2..1eb1d5aba3 100644
--- a/lms/templates/static_templates/privacy.html
+++ b/lms/templates/static_templates/privacy.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 
 <%inherit file="../main.html" />
diff --git a/lms/templates/static_templates/server-down.html b/lms/templates/static_templates/server-down.html
index 3ff617e00d..cb546b826a 100644
--- a/lms/templates/static_templates/server-down.html
+++ b/lms/templates/static_templates/server-down.html
@@ -1,15 +1,19 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%!
+from django.utils.translation import ugettext as _ 
+from openedx.core.djangolib.markup import Text, HTML
+%>
 <%inherit file="../main.html" />
 
 <section class="outside-app">
   <h1>
-    ${_("Currently the {platform_name} servers are down").format(
-        platform_name=u"<em>{}</em>".format(settings.PLATFORM_NAME)
+    ${Text(_("Currently the {platform_name} servers are down")).format(
+        platform_name=HTML(u"<em>{}</em>").format(Text(settings.PLATFORM_NAME))
     )}
   </h1>
   <p>
-    ${_("Our staff is currently working to get the site back up as soon as possible. "
-    "Please email us at {tech_support_email} to report any problems or downtime.").format(
-        tech_support_email=u"<a href=\"mailto:{0}\">{0}</a>".format(settings.TECH_SUPPORT_EMAIL)
+    ${Text(_("Our staff is currently working to get the site back up as soon as possible. "
+    "Please email us at {tech_support_email} to report any problems or downtime.")).format(
+        tech_support_email=HTML('<a href="mailto:{0}">{0}</a>').format(Text(settings.TECH_SUPPORT_EMAIL))
     )}</p>
 </section>
diff --git a/lms/templates/static_templates/server-error.html b/lms/templates/static_templates/server-error.html
index 4391cd420a..69fb62cc25 100644
--- a/lms/templates/static_templates/server-error.html
+++ b/lms/templates/static_templates/server-error.html
@@ -1,17 +1,21 @@
+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
-<%! from django.utils.translation import ugettext as _ %>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>
 <%inherit file="../main.html" />
 
 <section class="outside-app">
   <h1>
-    ${_(u"There has been a 500 error on the {platform_name} servers").format(
-        platform_name=u"<em>{platform_name}</em>".format(platform_name=static.get_platform_name())
+    ${Text(_(u"There has been a 500 error on the {platform_name} servers")).format(
+        platform_name=HTML("<em>{platform_name}</em>").format(platform_name=Text(static.get_platform_name()))
     )}
   </h1>
   <p>
-    ${_(u'Please wait a few seconds and then reload the page. If the problem persists, please email us at {email}.').format(
-        email=u'<a href="mailto:{email}">{email}</a>'.format(
-            email=static.get_tech_support_email_address()
+    ${Text(_('Please wait a few seconds and then reload the page. If the problem persists, please email us at {email}.')).format(
+        email=HTML('<a href="mailto:{email}">{email}</a>').format(
+            email=Text(static.get_tech_support_email_address())
         )
     )}
   </p>
diff --git a/lms/templates/static_templates/server-overloaded.html b/lms/templates/static_templates/server-overloaded.html
index e08317f3b4..00daab5217 100644
--- a/lms/templates/static_templates/server-overloaded.html
+++ b/lms/templates/static_templates/server-overloaded.html
@@ -1,16 +1,20 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+<%!
+from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
+%>
 <%inherit file="../main.html" />
 
 <section class="outside-app">
   <h1>
-    ${_("Currently the {platform_name} servers are overloaded").format(
-        platform_name=u"<em>{}</em>".format(platform_name=settings.PLATFORM_NAME)
+    ${Text(_("Currently the {platform_name} servers are overloaded")).format(
+        platform_name=HTML("<em>{}</em>").format(platform_name=Text(settings.PLATFORM_NAME))
     )}
   </h1>
   <p>
-    ${_("Our staff is currently working to get the site back up as soon as possible. "
-    "Please email us at {tech_support_email} to report any problems or downtime.").format(
-        tech_support_email=u"<a href=\"mailto:{0}\">{0}</a>".format(tech_support_email=settings.TECH_SUPPORT_EMAIL)
+    ${Text(_("Our staff is currently working to get the site back up as soon as possible. "
+    "Please email us at {tech_support_email} to report any problems or downtime.")).format(
+        tech_support_email=HTML('<a href="mailto:{0}">{0}</a>').format(tech_support_email=Text(settings.TECH_SUPPORT_EMAIL))
     )}
   </p>
 </section>
diff --git a/lms/templates/static_templates/tos.html b/lms/templates/static_templates/tos.html
index 96521243f9..74f786b552 100644
--- a/lms/templates/static_templates/tos.html
+++ b/lms/templates/static_templates/tos.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <%inherit file="../main.html" />