Merge pull request #24646 from edx/private_to_public_4cf3c00

Mergeback PR from private to public.

cms/templates/admin/base_site.html

@@ -7,13 +7,13 @@
 {% block nav-global %}{% endblock %}
 {% block userlinks %}
     {% if site_url %}
-        <a href="{{ site_url }}">{% trans 'View site' %}</a> /
+        <a href="{{ site_url }}">{% trans 'View site' as tmsg%} {{tmsg|force_escape}}</a> /
     {% endif %}
     {% if user.is_active and user.is_staff %}
         {% url 'django-admindocs-docroot' as docsroot %}
         {% if docsroot %}
-            <a href="{{ docsroot }}">{% trans 'Documentation' %}</a> /
+            <a href="{{ docsroot }}">{% trans 'Documentation' as tmsg %} {{tmsg|force_escape}}</a> /
         {% endif %}
     {% endif %}
-    <a href="{% url 'admin:logout' %}">{% trans 'Log out' %}</a>
+    <a href="{% url 'admin:logout' %}">{% trans 'Log out' as tmsg %} {{tmsg|force_escape}}</a>
 {% endblock %}

lms/djangoapps/teams/static/teams/templates/date.underscore

@@ -1 +1 @@
-<abbr title="<%= date %>"></abbr>
+<abbr title="<%- date %>"></abbr>

lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore

@@ -1,16 +1,16 @@
 <li class="team-member">
-    <a class="member-profile" href="<%= memberProfileUrl %>">
-        <img class="image-url" src="<%= imageUrl %>" alt="<%= username %>'s profile page" />
+    <a class="member-profile" href="<%= memberProfileUrl /* xss-lint: disable=underscore-not-escaped */%>">
+        <img class="image-url" src="<%= imageUrl /* xss-lint: disable=underscore-not-escaped */%>" alt="<%= username /* xss-lint: disable=underscore-not-escaped */%>'s profile page" />
     </a>
     <div class="member-info-container">
-    	<span class="primary"><%= username %></span>
+    	<span class="primary"><%= username /* xss-lint: disable=underscore-not-escaped */%></span>
     	<div class="secondary">
-    		<span id="date-joined"><%= dateJoined %></span>
+    		<span id="date-joined"><%= dateJoined /* xss-lint: disable=underscore-not-escaped */%></span>
     		<span> | </span>
-    		<span id="last-active"><%= lastActive %></span>
+    		<span id="last-active"><%= lastActive /* xss-lint: disable=underscore-not-escaped */%></span>
     	</div>
     </div>
-    <button class="action-remove-member" data-username="<%= username %>">
-        <%- gettext("Remove") %><span class="sr">&nbsp;<%= username %></span>
+    <button class="action-remove-member" data-username="<%= username /* xss-lint: disable=underscore-not-escaped */%>">
+        <%- gettext("Remove") %><span class="sr">&nbsp;<%= username /* xss-lint: disable=underscore-not-escaped */%></span>
     </button>
 </li>

lms/static/js/views/file_uploader.js

@@ -38,7 +38,7 @@
                     return optionVal || default_value;
                 },
                 submitButton, resultNotification;
-
+            // xss-lint: disable=javascript-jquery-html
             this.$el.html(this.template({
                 title: get_option_with_default('title', ''),
                 inputLabel: get_option_with_default('inputLabel', ''),

themes/stanford-style/lms/templates/static_templates/tos.html

@@ -1,4 +1,5 @@
 ## mako
+<%page expression_filter="h"/>
 <%!
   from django.utils.translation import ugettext as _
 %>
@@ -27,6 +28,7 @@
 <script>
     $(document).ready(function() {
         var print_tos = '<input type="button" value="Print Terms of Service" class="print">';
+        // xss-lint: disable=javascript-jquery-prepend, javascript-jquery-append
         $('#content section.tos').prepend(print_tos).append(print_tos);
         $('#content section.tos input.print').click(function() {
             window.print();