From b91d1f225688c147d3794e8d1c723bbf0de05901 Mon Sep 17 00:00:00 2001
From: Calen Pennington <cale@edx.org>
Date: Wed, 23 Mar 2016 11:59:53 -0400
Subject: [PATCH] XSS escape cms/templates/asset_index.html

---
 cms/templates/asset_index.html | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/cms/templates/asset_index.html b/cms/templates/asset_index.html
index b142e3a83b..793757b232 100644
--- a/cms/templates/asset_index.html
+++ b/cms/templates/asset_index.html
@@ -1,10 +1,13 @@
+<%page expression_filter="h"/>
 <%inherit file="base.html" />
 <%def name="online_help_token()"><% return "files" %></%def>
 <%!
   from django.core.urlresolvers import reverse
   from django.utils.translation import ugettext as _
+  from openedx.core.djangolib.markup import Text, HTML
+  from openedx.core.djangolib.js_utils import js_escaped_string, dump_js_escaped_json
 %>
-<%block name="title">${_("Files &amp; Uploads")}</%block>
+<%block name="title">${_("Files & Uploads")}</%block>
 <%block name="bodyclass">is-signedin course uploads view-uploads</%block>
 
 <%namespace name='static' file='static_content.html'/>
@@ -20,10 +23,10 @@
 <%block name="requirejs">
     require(["js/factories/asset_index"], function (AssetIndexFactory) {
         AssetIndexFactory({
-          assetCallbackUrl: "${asset_callback_url}",
-          uploadChunkSizeInMBs: ${chunk_size_in_mbs},
-          maxFileSizeInMBs: ${max_file_size_in_mbs},
-          maxFileSizeRedirectUrl: "${max_file_size_redirect_url}"
+          assetCallbackUrl: "${asset_callback_url|n, js_escaped_string}",
+          uploadChunkSizeInMBs: ${chunk_size_in_mbs|n, dump_js_escaped_json},
+          maxFileSizeInMBs: ${max_file_size_in_mbs|n, dump_js_escaped_json},
+          maxFileSizeRedirectUrl: "${max_file_size_redirect_url|n, js_escaped_string}"
         });
     });
 </%block>
@@ -34,7 +37,7 @@
     <header class="mast has-actions has-subtitle">
         <h1 class="page-header">
             <small class="subtitle">${_("Content")}</small>
-            <span class="sr">&gt; </span>${_("Files &amp; Uploads")}
+            <span class="sr">&gt; </span>${_("Files & Uploads")}
         </h1>
 
         <nav class="nav-actions" aria-label="${_('Page Actions')}">
@@ -61,18 +64,18 @@
             <div class="bit">
                 <h3 class="title-3">${_("Adding Files for Your Course")}</h3>
 
-                <p>${_("To add files to use in your course, click {em_start}Upload New File{em_end}. Then follow the prompts to upload a file from your computer.").format(em_start='<strong>', em_end="</strong>")}</p>
+                <p>${Text(_("To add files to use in your course, click {em_start}Upload New File{em_end}. Then follow the prompts to upload a file from your computer.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
 
-                <p>${_("{em_start}Caution{em_end}: {platform_name} recommends that you limit the file size to {em_start}10 MB{em_end}. In addition, do not upload video or audio files. You should use a third party service to host multimedia files.").format(em_start='<strong>', em_end="</strong>", platform_name=settings.PLATFORM_NAME)}</p>
+                <p>${Text(_("{em_start}Caution{em_end}: {platform_name} recommends that you limit the file size to {em_start}10 MB{em_end}. In addition, do not upload video or audio files. You should use a third party service to host multimedia files.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"), platform_name=settings.PLATFORM_NAME)}</p>
 
             	<p>${_("The course image, textbook chapters, and files that appear on your Course Handouts sidebar also appear in this list.")}</p>
             </div>
             <div class="bit">
                 <h3 class="title-3">${_("Using File URLs")}</h3>
 
-                <p>${_("Use the {em_start}{studio_name} URL{em_end} value to link to the file or image from a component, a course update, or a course handout.").format(studio_name=settings.STUDIO_SHORT_NAME, em_start="<strong>", em_end="</strong>")}</p>
+                <p>${Text(_("Use the {em_start}{studio_name} URL{em_end} value to link to the file or image from a component, a course update, or a course handout.")).format(studio_name=settings.STUDIO_SHORT_NAME, em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
 
-                <p>${_("Use the {em_start}Web URL{em_end} value to reference the file or image only from outside of your course. {em_start}Note:{em_end} If you lock a file, the Web URL no longer works for external access to a file.").format(em_start='<strong>', em_end="</strong>")}</p>
+                <p>${Text(_("Use the {em_start}Web URL{em_end} value to reference the file or image only from outside of your course. {em_start}Note:{em_end} If you lock a file, the Web URL no longer works for external access to a file.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
 
                 <p>${_("To copy a URL, double click the value in the URL column, then copy the selected text.")}</p>
             </div>