From b497210f172617cd4f5eda37405ff3b79431b55b Mon Sep 17 00:00:00 2001
From: Adeel Khan <muhammad.adeel@arbisoft.com>
Date: Mon, 22 Jan 2018 18:31:24 +0500
Subject: [PATCH] strip_all_tags_but_br_filter would return HTML safe string.

Now returning HTML safe string to template instead
of just bleaching string for br tags.

LEARNER-3930
---
 openedx/core/djangolib/markup.py            |  4 ++--
 openedx/core/djangolib/tests/test_markup.py |  9 +++++++++
 scripts/tests/test_xss_linter.py            | 15 +++++++++++++++
 scripts/xss_linter.py                       |  3 +++
 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/openedx/core/djangolib/markup.py b/openedx/core/djangolib/markup.py
index 0cea1d4af9..42ff88b26a 100644
--- a/openedx/core/djangolib/markup.py
+++ b/openedx/core/djangolib/markup.py
@@ -37,7 +37,7 @@ def HTML(html):                                 # pylint: disable=invalid-name
 
 def strip_all_tags_but_br(string_to_strip):
     """
-    Strips all tags from a string except <br/>
+    Strips all tags from a string except <br/> and marks as HTML.
 
     Usage:
         <%page expression_filter="h"/>
@@ -53,4 +53,4 @@ def strip_all_tags_but_br(string_to_strip):
     string_to_strip = decode.utf8(string_to_strip)
     string_to_strip = bleach.clean(string_to_strip, tags=['br'], strip=True)
 
-    return string_to_strip
+    return HTML(string_to_strip)
diff --git a/openedx/core/djangolib/tests/test_markup.py b/openedx/core/djangolib/tests/test_markup.py
index f8a347bace..6aafb86209 100644
--- a/openedx/core/djangolib/tests/test_markup.py
+++ b/openedx/core/djangolib/tests/test_markup.py
@@ -90,3 +90,12 @@ class FormatHtmlTest(unittest.TestCase):
 
         self.assertIn('<br>', rendered_template)
         self.assertNotIn('<script>', rendered_template)
+
+    def test_strip_all_tags_but_br_returns_html(self):
+        """
+        Verify filter returns HTML Markup safe string object
+        """
+
+        html = strip_all_tags_but_br('{name}<br><script>')
+        html = html.format(name='Rock & Roll')
+        self.assertEqual(html.decode(), u'Rock &amp; Roll<br>')
diff --git a/scripts/tests/test_xss_linter.py b/scripts/tests/test_xss_linter.py
index b5239ba8b8..40dd94c802 100644
--- a/scripts/tests/test_xss_linter.py
+++ b/scripts/tests/test_xss_linter.py
@@ -592,6 +592,21 @@ class TestMakoTemplateLinter(TestLinter):
 
         self.assertEqual(len(results.violations), 0)
 
+    def test_check_mako_expressions_in_html_with_escape_filter(self):
+        """
+        Test _check_mako_file_is_safe results in no violations,
+        when strip_all_tags_but_br filter is applied in html context
+        """
+        linter = MakoTemplateLinter()
+        results = FileResults('')
+
+        mako_template = textwrap.dedent("""
+            ${x | n, strip_all_tags_but_br}
+        """)
+
+        linter._check_mako_file_is_safe(mako_template, results)
+        self.assertEqual(len(results.violations), 0)
+
     def test_check_mako_expressions_in_html_without_default(self):
         """
         Test _check_mako_file_is_safe in html context without the page level
diff --git a/scripts/xss_linter.py b/scripts/xss_linter.py
index aa89801332..db32f31cfe 100755
--- a/scripts/xss_linter.py
+++ b/scripts/xss_linter.py
@@ -2272,6 +2272,9 @@ class MakoTemplateLinter(BaseLinter):
                     results.violations.append(ExpressionRuleViolation(
                         Rules.mako_unwanted_html_filter, expression
                     ))
+            elif filters == ['n', 'strip_all_tags_but_br']:
+                # {x | n,  strip_all_tags_but_br} is valid in html context
+                pass
             else:
                 results.violations.append(ExpressionRuleViolation(
                     Rules.mako_invalid_html_filter, expression