From c9b0e12d397da2973c87d2804e30ff0d81660621 Mon Sep 17 00:00:00 2001
From: Adam Palay <adam@edx.org>
Date: Fri, 13 May 2016 11:15:00 -0400
Subject: [PATCH] use markupspace for escaping

---
 lms/djangoapps/bulk_email/tasks.py            | 4 ++--
 lms/djangoapps/bulk_email/tests/test_email.py | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lms/djangoapps/bulk_email/tasks.py b/lms/djangoapps/bulk_email/tasks.py
index 80df91a09d..6feec4f3db 100644
--- a/lms/djangoapps/bulk_email/tasks.py
+++ b/lms/djangoapps/bulk_email/tasks.py
@@ -3,7 +3,6 @@
 This module contains celery task functions for handling the sending of bulk email
 to a course.
 """
-import cgi
 from collections import Counter
 import json
 import logging
@@ -25,6 +24,7 @@ from boto.ses.exceptions import (
     SESIllegalAddressError,
 )
 from boto.exception import AWSConnectionError
+from markupsafe import escape
 
 from celery import task, current_task  # pylint: disable=no-name-in-module
 from celery.states import SUCCESS, FAILURE, RETRY  # pylint: disable=no-name-in-module, import-error
@@ -434,7 +434,7 @@ def _get_source_address(course_id, course_title, truncate=True):
 
     # It seems that this value is also escaped when set out to amazon, judging
     # from our logs
-    escaped_encoded_from_addr = cgi.escape(encoded_from_addr)
+    escaped_encoded_from_addr = escape(encoded_from_addr)
     if len(escaped_encoded_from_addr) >= 320 and truncate:
         from_addr = format_address(course_name)
 
diff --git a/lms/djangoapps/bulk_email/tests/test_email.py b/lms/djangoapps/bulk_email/tests/test_email.py
index 08ca3fc893..a60262573d 100644
--- a/lms/djangoapps/bulk_email/tests/test_email.py
+++ b/lms/djangoapps/bulk_email/tests/test_email.py
@@ -2,8 +2,8 @@
 """
 Unit tests for sending course email
 """
-import cgi
 import json
+from markupsafe import escape
 from mock import patch, Mock
 from nose.plugins.attrib import attr
 import os
@@ -344,7 +344,7 @@ class TestEmailSendFromDashboardMockedHtmlToText(EmailSendFromDashboardTestCase)
         __, encoded_unexpected_from_addr = forbid_multi_line_headers(
             "from", unexpected_from_addr, 'utf-8'
         )
-        escaped_encoded_unexpected_from_addr = cgi.escape(encoded_unexpected_from_addr)
+        escaped_encoded_unexpected_from_addr = escape(encoded_unexpected_from_addr)
 
         # it's shorter than 320 characters when just encoded
         self.assertEqual(len(encoded_unexpected_from_addr), 318)