diff --git a/cms/static/js/views/baseview.js b/cms/static/js/views/baseview.js index a09f4a7e68..6263145096 100644 --- a/cms/static/js/views/baseview.js +++ b/cms/static/js/views/baseview.js @@ -44,6 +44,7 @@ define(['jquery', 'underscore', 'backbone', 'gettext', 'js/utils/handle_iframe_b this.options = options; var _this = this; + // xss-lint: disable=javascript-jquery-insertion this.render = _.wrap(this.render, function(render, options) { _this.beforeRender(); render(options); diff --git a/cms/static/js/views/license.js b/cms/static/js/views/license.js index 77357431c8..d88f0e167d 100644 --- a/cms/static/js/views/license.js +++ b/cms/static/js/views/license.js @@ -82,7 +82,7 @@ define([ }, render: function() { - this.$el.html(_.template(licenseSelectorTemplate)({ + edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.template(licenseSelectorTemplate)({ model: this.model.attributes, licenseString: this.model.toString() || '', licenseInfo: this.licenseInfo, diff --git a/cms/static/js/views/list.js b/cms/static/js/views/list.js index 7ec03927f2..4e8a4aecb7 100644 --- a/cms/static/js/views/list.js +++ b/cms/static/js/views/list.js @@ -38,7 +38,7 @@ define([ }, render: function(model) { - this.$el.html(this.template({ + var template = this.template({ itemCategoryDisplayName: this.itemCategoryDisplayName, newItemMessage: this.newItemMessage, emptyMessage: this.emptyMessage, @@ -46,7 +46,8 @@ define([ isEditing: model && model.get('editing'), canCreateNewItem: this.canCreateItem(this.collection), restrictEditing: this.restrictEditing - })); + }); + edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.HTML(template)); this.collection.each(function(model) { this.$(this.listContainerCss).append( diff --git a/cms/static/js/views/manage_users_and_roles.js b/cms/static/js/views/manage_users_and_roles.js index 76fd8e1632..18244a973b 100644 --- a/cms/static/js/views/manage_users_and_roles.js +++ b/cms/static/js/views/manage_users_and_roles.js @@ -1,9 +1,9 @@ /* Code for editing users and assigning roles within a course or library team context. */ -define(['jquery', 'underscore', 'gettext', 'js/views/baseview', - 'common/js/components/views/feedback_prompt', 'common/js/components/utils/view_utils'], - function($, _, gettext, BaseView, PromptView, ViewUtils) { +define(['jquery', 'underscore', 'gettext', 'js/views/baseview', 'common/js/components/views/feedback_prompt', + 'common/js/components/utils/view_utils', 'edx-ui-toolkit/js/utils/html-utils'], + function($, _, gettext, BaseView, PromptView, ViewUtils, HtmlUtils) { 'use strict'; var default_messages = { defaults: { @@ -157,7 +157,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/baseview', viewHelpers: viewHelpers }; - this.$userList.append(templateFn(template_data)); + this.$userList.append(HtmlUtils.HTML(templateFn(template_data)).toString()); } }, diff --git a/cms/static/js/views/uploads.js b/cms/static/js/views/uploads.js index b93cf324e3..c71d5bf060 100644 --- a/cms/static/js/views/uploads.js +++ b/cms/static/js/views/uploads.js @@ -1,5 +1,7 @@ -define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery.form'], - function($, _, gettext, BaseModal) { +define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'edx-ui-toolkit/js/utils/html-utils', + 'jquery.form'], + function($, _, gettext, BaseModal, HtmlUtils) { + 'use strict'; var UploadDialog = BaseModal.extend({ events: _.extend({}, BaseModal.prototype.events, { 'change input[type=file]': 'selectFile', @@ -42,7 +44,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery // a blank input to prompt the user to upload a different (valid) file. if (selectedFile && isValid) { $(oldInput).removeClass('error'); - this.$('input[type=file]').replaceWith(oldInput); + this.$('input[type=file]').replaceWith(HtmlUtils.ensureHtml(oldInput).toString()); this.$('.action-upload').removeClass('disabled'); } else { this.$('.action-upload').addClass('disabled'); @@ -53,7 +55,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery getContentHtml: function() { return this.template({ url: this.options.url || CMS.URL.UPLOAD_ASSET, - message: this.model.escape('message'), + message: this.model.get('message'), selectedFile: this.model.get('selectedFile'), uploading: this.model.get('uploading'), uploadedBytes: this.model.get('uploadedBytes'), diff --git a/cms/static/js/views/video/transcripts/message_manager.js b/cms/static/js/views/video/transcripts/message_manager.js index 84d673410b..8c645e3a38 100644 --- a/cms/static/js/views/video/transcripts/message_manager.js +++ b/cms/static/js/views/video/transcripts/message_manager.js @@ -74,16 +74,15 @@ function($, Backbone, _, Utils, FileUploader, gettext) { return this; } - template = _.template(tplHtml); + template = edx.HtmlUtils.template(tplHtml); - this.$el.find('.transcripts-status') - .removeClass('is-invisible') - .find(this.elClass).html(template({ - component_locator: encodeURIComponent(this.component_locator), - html5_list: html5List, - grouped_list: groupedList, - subs_id: (params) ? params.subs : '' - })); + edx.HtmlUtils.setHtml( + this.$el.find('.transcripts-status').removeClass('is-invisible').find(this.elClass), template({ + component_locator: encodeURIComponent(this.component_locator), + html5_list: html5List, + grouped_list: groupedList, + subs_id: (params) ? params.subs : '' + })); this.fileUploader.render(); @@ -106,11 +105,7 @@ function($, Backbone, _, Utils, FileUploader, gettext) { if (err) { // Hide any other error messages. this.hideError(); - - $error - .html(gettext(err)) - .removeClass(this.invisibleClass); - + edx.HtmlUtils.setHtml($error, gettext(err)).removeClass(this.invisibleClass); if (hideButtons) { this.$el.find('.wrapper-transcripts-buttons') .addClass(this.invisibleClass); diff --git a/cms/static/js/views/xblock_string_field_editor.js b/cms/static/js/views/xblock_string_field_editor.js index d9eeb14fce..e847c72736 100644 --- a/cms/static/js/views/xblock_string_field_editor.js +++ b/cms/static/js/views/xblock_string_field_editor.js @@ -5,8 +5,9 @@ * XBlock field's value if it has been changed. If the user presses Escape, then any changes will * be removed and the input hidden again. */ -define(['js/views/baseview', 'js/views/utils/xblock_utils'], - function(BaseView, XBlockViewUtils) { +define(['js/views/baseview', 'js/views/utils/xblock_utils', 'edx-ui-toolkit/js/utils/html-utils'], + function(BaseView, XBlockViewUtils, HtmlUtils) { + 'use strict'; var XBlockStringFieldEditor = BaseView.extend({ events: { 'click .xblock-field-value-edit': 'showInput', @@ -29,11 +30,13 @@ define(['js/views/baseview', 'js/views/utils/xblock_utils'], }, render: function() { - this.$el.append(this.template({ + var attributes = { + // xss-lint: disable=javascript-escape value: this.model.escape(this.fieldName), fieldName: this.fieldName, fieldDisplayName: this.fieldDisplayName - })); + }; + this.$el.append(HtmlUtils.HTML(this.template(attributes)).toString()); return this; },