From 8a85d7e346bfed865872d297ebe32d45b1fe40b5 Mon Sep 17 00:00:00 2001
From: Kevin Falcone <kevin@edx.org>
Date: Wed, 23 Mar 2016 14:32:29 -0400
Subject: [PATCH] Udpate to secure by default

Most things were already escaped, including the json.dumps, and we've
decided not to use dump_html_escaped_json
---
 lms/templates/courseware/submission_history.html | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lms/templates/courseware/submission_history.html b/lms/templates/courseware/submission_history.html
index b89fb420f9..a2a72946be 100644
--- a/lms/templates/courseware/submission_history.html
+++ b/lms/templates/courseware/submission_history.html
@@ -1,5 +1,6 @@
+<%page expression_filter="h"/>
 <% import json  %>
-<h3>${username | h} > ${course_id | h} > ${location | h}</h3>
+<h3>${username} > ${course_id} > ${location}</h3>
 
 % for i, (entry, score) in enumerate(zip(history_entries, scores)):
 <hr/>
@@ -7,7 +8,7 @@
 <b>#${len(history_entries) - i}</b>: ${entry.updated} (${TIME_ZONE} time)</br>
 Score: ${score.grade} / ${score.max_grade}
 <pre>
-${json.dumps(entry.state, indent=2, sort_keys=True) | h}
+${json.dumps(entry.state, indent=2, sort_keys=True)}
 </pre>
 </div>
 % endfor