Fix courseware's app for xss injections.

PROD-465

lms/templates/courseware/course_updates.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%! from django.utils.translation import ugettext as _ %>
 <div class="recent-updates">
   % for index, update in enumerate(visible_updates):
@@ -14,7 +15,7 @@
         ></button>
       % endif
       <div class="toggle-visibility-element article-content ${'hidden' if index >= 1 else ''}" id="msg-content-${index}">
-      ${update.get("content")}
+      ${update.get("content") | n, decode.utf8}
       </div>
     </article>
   % endfor
@@ -42,7 +43,7 @@
           aria-controls="msg-content-${index + len(visible_updates)}"
           aria-expanded="false"
       ></button>
-      <div class="toggle-visibility-element article-content hidden" id="msg-content-${index + len(visible_updates)}">${update.get("content")}</div>
+      <div class="toggle-visibility-element article-content hidden" id="msg-content-${index + len(visible_updates)}">${update.get("content") | n, decode.utf8}</div>
     </article>
   % endfor
 </div>

lms/templates/courseware/error-message.html

@@ -1,10 +1,11 @@
 ## mako
+<%page expression_filter="h"/>
 <%namespace name='static' file='../static_content.html'/>
 <%!
 from django.utils.translation import ugettext as _
 from openedx.core.djangolib.markup import HTML, Text
 %>
 <%
-    tech_support_email='<a href=\"mailto:{tech_support_email}\">{tech_support_email}</a>'.format(tech_support_email=static.get_tech_support_email_address())
+    tech_support_email=HTML('<a href=\"mailto:{tech_support_email}\">{tech_support_email}</a>').format(tech_support_email=static.get_tech_support_email_address())
 %>
-<p>${_("We're sorry, this module is temporarily unavailable. Our staff is working to fix it as soon as possible. Please email us at {tech_support_email} to report any problems or downtime.").format(tech_support_email=tech_support_email)}</p>
+<p>${Text(_("We're sorry, this module is temporarily unavailable. Our staff is working to fix it as soon as possible. Please email us at {tech_support_email} to report any problems or downtime.")).format(tech_support_email=tech_support_email)}</p>

lms/templates/courseware/gradebook.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
 <%!

lms/templates/courseware/news.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="main.html" />
 <%namespace name='static' file='../static_content.html'/>
 <%! from django.utils.translation import ugettext as _ %>
@@ -18,7 +19,7 @@
   <div class="course-wrapper">
     <section class="course-content">
       <h3> ${_("Updates to Discussion Posts You Follow")} </h3>
-      ${content}
+      ${content | n, decode.utf8}
     </section>
   </div>
 </section>

lms/templates/courseware/syllabus.html

@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="/main.html" />
 <%namespace name='static' file='/static_content.html'/>
 <%!
@@ -10,7 +11,7 @@ from courseware.courses import get_course_syllabus_section
 <%static:css group='style-course'/>
 </%block>
 
-<%block name="pagetitle">${_("{course.display_number_with_default} Course Info").format(course=course) | h}</%block>
+<%block name="pagetitle">${_("{course.display_number_with_default} Course Info").format(course=course)}</%block>
 
 <%include file="/courseware/course_navigation.html" args="active_page='syllabus'" />
 
@@ -19,9 +20,9 @@ from courseware.courses import get_course_syllabus_section
     <div class="syllabus">
         <h1>${_("Syllabus")}</h1>
         % if user.is_authenticated:
-        ${get_course_syllabus_section(course, 'syllabus')}
+        ${get_course_syllabus_section(course, 'syllabus') | n, decode.utf8}
         % else:
-        ${get_course_syllabus_section(course, 'guest_syllabus')}
+        ${get_course_syllabus_section(course, 'guest_syllabus') | n, decode.utf8}
         % endif
     </div>
   </div>