From f565c75d9477aea86f0a66c9421a141d29eaba68 Mon Sep 17 00:00:00 2001
From: Adeel Khan <muhammad.adeel@arbisoft.com>
Date: Thu, 18 Jun 2020 15:09:55 +0500
Subject: [PATCH] Fixes xss issues.

PROD-1532
PROD-1533
PROD-1577
PROD-1578
---
 lms/templates/student_account/register.underscore         | 2 +-
 .../verify_student/test/fake_softwaresecure_response.html | 4 ++--
 .../learner_profile/templates/badge_list.underscore       | 8 ++++----
 .../templates/badge_placeholder.underscore                | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lms/templates/student_account/register.underscore b/lms/templates/student_account/register.underscore
index 3a0e705f0e..1bd10d9d8a 100644
--- a/lms/templates/student_account/register.underscore
+++ b/lms/templates/student_account/register.underscore
@@ -51,7 +51,7 @@
         <span class="auto-register-message"><%- context.autoRegisterWelcomeMessage %></span>
     <% } %>
 
-    <%= context.fields %>
+    <%= context.fields /* xss-lint: disable=underscore-not-escaped */ %>
 
     <div class="form-field checkbox-optional_fields_toggle">
         <input type="checkbox" id="toggle_optional_fields" class="input-block checkbox"">
diff --git a/lms/templates/verify_student/test/fake_softwaresecure_response.html b/lms/templates/verify_student/test/fake_softwaresecure_response.html
index d32a9a0d40..0a15a241fc 100644
--- a/lms/templates/verify_student/test/fake_softwaresecure_response.html
+++ b/lms/templates/verify_student/test/fake_softwaresecure_response.html
@@ -65,10 +65,10 @@ $(document).ready(function() {
             data: JSON.stringify(data),
             contentType: "application/json;",
             success: function () {
-               $('#success-info').html('status updated.');
+               $('#success-info').text('status updated.');
             },
             error: function(jqXHR, textStatus, errorThrown) {
-                $('#errors-info').html(jqXHR.responseText);
+                $('#errors-info').text(jqXHR.responseText);
             }
         });
     }
diff --git a/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore b/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore
index 23e722f9bc..80c2cc2ca7 100644
--- a/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore
+++ b/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore
@@ -1,4 +1,4 @@
-<div class="sr-is-focusable sr-<%= type %>-view" tabindex="-1"></div>
-<div class="<%= type %>-paging-header"></div>
-<div class="<%= type %>-list cards-list"></div>
-<div class="<%= type %>-paging-footer"></div>
+<div class="sr-is-focusable sr-<%- type %>-view" tabindex="-1"></div>
+<div class="<%- type %>-paging-header"></div>
+<div class="<%- type %>-list cards-list"></div>
+<div class="<%- type %>-paging-footer"></div>
diff --git a/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore b/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore
index fc24899d97..b7eb9976e8 100644
--- a/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore
+++ b/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore
@@ -5,6 +5,6 @@
   <div class="badge-details">
     <div class="badge-name"><%- gettext("What's Your Next Accomplishment?") %></div>
     <p class="badge-description"><%- gettext('Start working toward your next learning goal.') %></p>
-    <a class="find-course" href="<%= find_courses_url %>"><span class="find-button-container"><%- gettext('Find a course') %></span></a>
+    <a class="find-course" href="<%- find_courses_url %>"><span class="find-button-container"><%- gettext('Find a course') %></span></a>
   </div>
 </div>