From 71b5ef4771d51ed656ebb3d1a90cc03b92bffae5 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Mon, 22 Jun 2020 17:27:17 +0500
Subject: [PATCH 1/5] Fix XSS while prepending html

---
 themes/stanford-style/lms/templates/static_templates/tos.html | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/themes/stanford-style/lms/templates/static_templates/tos.html b/themes/stanford-style/lms/templates/static_templates/tos.html
index ad65e30bce..574b08d44b 100644
--- a/themes/stanford-style/lms/templates/static_templates/tos.html
+++ b/themes/stanford-style/lms/templates/static_templates/tos.html
@@ -1,4 +1,5 @@
 ## mako
+<%page expression_filter="h"/>
 <%!
   from django.utils.translation import ugettext as _
 %>
@@ -27,6 +28,7 @@
 <script>
     $(document).ready(function() {
         var print_tos = '<input type="button" value="Print Terms of Service" class="print">';
+        // xss-lint: disable=javascript-jquery-prepend, javascript-jquery-append
         $('#content section.tos').prepend(print_tos).append(print_tos);
         $('#content section.tos input.print').click(function() {
             window.print();

From 4e94304c8c65ffa9821dc497ea06c9bba6bda767 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Tue, 21 Jul 2020 15:01:32 +0500
Subject: [PATCH 2/5] Fix xss in base site template

---
 cms/templates/admin/base_site.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cms/templates/admin/base_site.html b/cms/templates/admin/base_site.html
index d050919de3..953b42d2bf 100644
--- a/cms/templates/admin/base_site.html
+++ b/cms/templates/admin/base_site.html
@@ -7,13 +7,13 @@
 {% block nav-global %}{% endblock %}
 {% block userlinks %}
     {% if site_url %}
-        <a href="{{ site_url }}">{% trans 'View site' %}</a> /
+        <a href="{{ site_url }}">{% trans 'View site' as tmsg%} {{tmsg|force_escape}}</a> /
     {% endif %}
     {% if user.is_active and user.is_staff %}
         {% url 'django-admindocs-docroot' as docsroot %}
         {% if docsroot %}
-            <a href="{{ docsroot }}">{% trans 'Documentation' %}</a> /
+            <a href="{{ docsroot }}">{% trans 'Documentation' as tmsg %} {{tmsg|force_escape}}</a> /
         {% endif %}
     {% endif %}
-    <a href="{% url 'admin:logout' %}">{% trans 'Log out' %}</a>
+    <a href="{% url 'admin:logout' %}">{% trans 'Log out' as tmsg %} {{tmsg|force_escape}}</a>
 {% endblock %}

From 1f9ff0b1083c31cac69c562e00e8e126f19e66b7 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Wed, 22 Jul 2020 02:40:19 +0500
Subject: [PATCH 3/5] Fix xss while rendering file-upload

---
 lms/static/js/views/file_uploader.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lms/static/js/views/file_uploader.js b/lms/static/js/views/file_uploader.js
index d897852f95..18c4ef5af7 100644
--- a/lms/static/js/views/file_uploader.js
+++ b/lms/static/js/views/file_uploader.js
@@ -38,7 +38,7 @@
                     return optionVal || default_value;
                 },
                 submitButton, resultNotification;
-
+            // xss-lint: disable=javascript-jquery-html
             this.$el.html(this.template({
                 title: get_option_with_default('title', ''),
                 inputLabel: get_option_with_default('inputLabel', ''),

From a006eef3640bd17a6e62052de7be95fc225301b2 Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Wed, 22 Jul 2020 02:24:27 +0500
Subject: [PATCH 4/5] Fix xss in date

---
 lms/djangoapps/teams/static/teams/templates/date.underscore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lms/djangoapps/teams/static/teams/templates/date.underscore b/lms/djangoapps/teams/static/teams/templates/date.underscore
index dcf5083f62..12ef50cdc4 100644
--- a/lms/djangoapps/teams/static/teams/templates/date.underscore
+++ b/lms/djangoapps/teams/static/teams/templates/date.underscore
@@ -1 +1 @@
-<abbr title="<%= date %>"></abbr>
+<abbr title="<%- date %>"></abbr>

From 6b8f9031883a52e492000e31ebc010816b3f02ac Mon Sep 17 00:00:00 2001
From: uzairr <uzairr@yahoo.com>
Date: Wed, 22 Jul 2020 02:57:48 +0500
Subject: [PATCH 5/5] Fix xss in edit member template

---
 .../teams/templates/edit-team-member.underscore    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore b/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore
index d98af57c0d..b8bc9839c1 100644
--- a/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore
+++ b/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore
@@ -1,16 +1,16 @@
 <li class="team-member">
-    <a class="member-profile" href="<%= memberProfileUrl %>">
-        <img class="image-url" src="<%= imageUrl %>" alt="<%= username %>'s profile page" />
+    <a class="member-profile" href="<%= memberProfileUrl /* xss-lint: disable=underscore-not-escaped */%>">
+        <img class="image-url" src="<%= imageUrl /* xss-lint: disable=underscore-not-escaped */%>" alt="<%= username /* xss-lint: disable=underscore-not-escaped */%>'s profile page" />
     </a>
     <div class="member-info-container">
-    	<span class="primary"><%= username %></span>
+    	<span class="primary"><%= username /* xss-lint: disable=underscore-not-escaped */%></span>
     	<div class="secondary">
-    		<span id="date-joined"><%= dateJoined %></span>
+    		<span id="date-joined"><%= dateJoined /* xss-lint: disable=underscore-not-escaped */%></span>
     		<span> | </span>
-    		<span id="last-active"><%= lastActive %></span>
+    		<span id="last-active"><%= lastActive /* xss-lint: disable=underscore-not-escaped */%></span>
     	</div>
     </div>
-    <button class="action-remove-member" data-username="<%= username %>">
-        <%- gettext("Remove") %><span class="sr">&nbsp;<%= username %></span>
+    <button class="action-remove-member" data-username="<%= username /* xss-lint: disable=underscore-not-escaped */%>">
+        <%- gettext("Remove") %><span class="sr">&nbsp;<%= username /* xss-lint: disable=underscore-not-escaped */%></span>
     </button>
 </li>