From b81a15d57f6ff72dda8ba3b8d8db3f21c95bcd8a Mon Sep 17 00:00:00 2001
From: Calen Pennington <cale@edx.org>
Date: Wed, 23 Mar 2016 15:56:22 -0400
Subject: [PATCH] XSS escape cms/templates/course_outline.html

---
 cms/djangoapps/contentstore/views/course.py |  5 +----
 cms/templates/course_outline.html           | 13 ++++++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/cms/djangoapps/contentstore/views/course.py b/cms/djangoapps/contentstore/views/course.py
index 9670ee3cf5..abcbb67397 100644
--- a/cms/djangoapps/contentstore/views/course.py
+++ b/cms/djangoapps/contentstore/views/course.py
@@ -553,11 +553,8 @@ def _deprecated_blocks_info(course_module, deprecated_block_types):
     except errors.CourseStructureNotAvailableError:
         return data
 
-    blocks = []
     for block in structure_data['blocks'].values():
-        blocks.append([reverse_usage_url('container_handler', block['parent']), block['display_name']])
-
-    data['blocks'].extend(blocks)
+        data['blocks'].append([reverse_usage_url('container_handler', block['parent']), block['display_name']])
 
     return data
 
diff --git a/cms/templates/course_outline.html b/cms/templates/course_outline.html
index 6c1f97d90e..16b34e31fe 100644
--- a/cms/templates/course_outline.html
+++ b/cms/templates/course_outline.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "outline" %></%def>
 <%!
@@ -7,6 +8,7 @@ from django.utils.translation import ugettext as _
 from openedx.core.djangolib.js_utils import dump_js_escaped_json
 from contentstore.utils import reverse_usage_url
 from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
+from openedx.core.djangolib.markup import Text, HTML
 %>
 <%block name="title">${_("Course Outline")}</%block>
 <%block name="bodyclass">is-signedin course view-outline</%block>
@@ -71,7 +73,7 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
                       % for component_parent_url, component_display_name in deprecated_blocks_info['blocks']:
                           <li class="nav-item">
                                 % if component_display_name:
-                                    <a href="${component_parent_url}">${_(component_display_name)}</a>
+                                    <a href="${component_parent_url}">${component_display_name}</a>
                                 % else:
                                     <a href="${component_parent_url}">${_("Deprecated Component")}</a>
                                 % endif
@@ -85,9 +87,10 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
             % if deprecated_blocks_info.get('block_types_enabled'):
               <div class="advance-modules-list">
                 <p class="advance-modules-remove-text">
-                  ${_("To avoid errors, {platform_name} strongly recommends that you remove unsupported features from the course advanced settings. To do this, go to the {link_start}Advanced Settings page{link_end}, locate the \"Advanced Module List\" setting, and then delete the following modules from the list.").format(
+                  ${Text(_("To avoid errors, {platform_name} strongly recommends that you remove unsupported features from the course advanced settings. To do this, go to the {link_start}Advanced Settings page{link_end}, locate the \"Advanced Module List\" setting, and then delete the following modules from the list.")).format(
                     platform_name=static.get_platform_name(),
-                    link_start='<a href="{advance_settings_url}">'.format(advance_settings_url=deprecated_blocks_info['advance_settings_url']), link_end="</a>"
+                    link_start=HTML('<a href="{advance_settings_url}">').format(advance_settings_url=deprecated_blocks_info['advance_settings_url']),
+                    link_end=HTML("</a>")
                   )}
                 </p>
                 <nav class="nav-related" aria-label="${_('Unsupported Advance Modules')}">
@@ -178,7 +181,7 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
                 course_locator = context_course.location
                 %>
                 <h2 class="sr">${_("Course Outline")}</h2>
-                <article class="outline outline-complex outline-course" data-locator="${course_locator | h}" data-course-key="${course_locator.course_key | h}">
+                <article class="outline outline-complex outline-course" data-locator="${course_locator}" data-course-key="${course_locator.course_key}">
                 </article>
             </div>
             <div class="ui-loading">
@@ -196,7 +199,7 @@ from openedx.core.djangoapps.self_paced.models import SelfPacedConfiguration
                 <p>${_("Select the Configure icon for a section or subsection to set its release date. When you configure a subsection, you can also set the grading policy and due date.")}</p>
                 <h3 class="title-3">${_("Changing the content students see")}</h3>
                 <p>${_("To publish draft content, select the Publish icon for a section, subsection, or unit.")}</p>
-                <p>${_("To hide content from students, select the Configure icon for a section, subsection, or unit, then select {em_start}Hide from students{em_end}.").format(em_start='<strong>', em_end="</strong>")}</p>
+                <p>${Text(_("To hide content from students, select the Configure icon for a section, subsection, or unit, then select {em_start}Hide from students{em_end}.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
             </div>
             <div class="bit external-help">
                 <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>