From 79783800b4b6ea88ac5d0e17fc78f348023d8100 Mon Sep 17 00:00:00 2001
From: Simon Chen <schen@edx.org>
Date: Wed, 23 Mar 2016 11:26:21 -0400
Subject: [PATCH] Escape properly the elements on the dashboard xseries upsell
 template

---
 .../dashboard/_dashboard_certificate_information.html |  8 +++++---
 lms/templates/dashboard/_dashboard_info_language.html | 11 -----------
 lms/templates/dashboard/_dashboard_xseries_info.html  |  8 +++++---
 3 files changed, 10 insertions(+), 17 deletions(-)
 delete mode 100644 lms/templates/dashboard/_dashboard_info_language.html

diff --git a/lms/templates/dashboard/_dashboard_certificate_information.html b/lms/templates/dashboard/_dashboard_certificate_information.html
index 13109ea82e..6145d87794 100644
--- a/lms/templates/dashboard/_dashboard_certificate_information.html
+++ b/lms/templates/dashboard/_dashboard_certificate_information.html
@@ -1,7 +1,9 @@
+<%page expression_filter="h"/>
 <%page args="cert_status, course_overview, enrollment" />
 
 <%!
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.markup import Text, HTML
 from course_modes.models import CourseMode
 %>
 <%namespace name='static' file='../static_content.html'/>
@@ -41,11 +43,11 @@ else:
       ${"{0:.0f}%".format(float(course_overview.lowest_passing_grade)*100)}</span>.
     % elif cert_status['status'] == 'restricted' and enrollment.mode == 'verified':
     <p class="message-copy">
-      ${_("Your verified {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}. If you would like a refund on your {cert_name_long}, please contact our billing address {billing_email}").format(email='<a class="contact-link" href="mailto:{email}">{email}</a>.'.format(email=settings.CONTACT_EMAIL), billing_email='<a class="contact-link" href="mailto:{email}">{email}</a>'.format(email=settings.PAYMENT_SUPPORT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
+      ${Text(_("Your verified {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}. If you would like a refund on your {cert_name_long}, please contact our billing address {billing_email}")).format(email=HTML('<a class="contact-link" href="mailto:{email}">{email}</a>.').format(email=settings.CONTACT_EMAIL), billing_email=HTML('<a class="contact-link" href="mailto:{email}">{email}</a>').format(email=settings.PAYMENT_SUPPORT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
     </p>
     % elif cert_status['status'] == 'restricted':
     <p class="message-copy">
-      ${_("Your {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}.").format(email='<a class="contact-link" href="mailto:{email}">{email}</a>.'.format(email=settings.CONTACT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
+      ${Text(_("Your {cert_name_long} is being held pending confirmation that the issuance of your {cert_name_short} is in compliance with strict U.S. embargoes on Iran, Cuba, Syria and Sudan. If you think our system has mistakenly identified you as being connected with one of those countries, please let us know by contacting {email}.")).format(email=HTML('<a class="contact-link" href="mailto:{email}">{email}</a>.').format(email=settings.CONTACT_EMAIL), cert_name_short=cert_name_short, cert_name_long=cert_name_long)}
     </p>
     % endif
   </p>
@@ -91,7 +93,7 @@ else:
       <li class="action action-share">
         <a class="action-linkedin-profile" target="_blank" href="${cert_status['linked_in_url']}"
          title="${_('Add Certificate to LinkedIn Profile')}"
-         data-course-id="${unicode(course_overview.id)}"
+         data-course-id="${course_overview.id}"
          data-certificate-mode="${cert_status['mode']}"
         >
           <img class="action-linkedin-profile-img"
diff --git a/lms/templates/dashboard/_dashboard_info_language.html b/lms/templates/dashboard/_dashboard_info_language.html
deleted file mode 100644
index 8e2933ea96..0000000000
--- a/lms/templates/dashboard/_dashboard_info_language.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<%! from django.utils.translation import ugettext as _ %>
-
-<%namespace name='static' file='../static_content.html'/>
-
-<li class="status status-language">
-  <span class="title status-title">
-    ${_("Preferred Language")}
-    (<a href="#change_language" rel="leanModal" class="edit-language">${_("edit")}</a>)
-  </span>
-  <span class="data">${current_language}</span>
-</li>
diff --git a/lms/templates/dashboard/_dashboard_xseries_info.html b/lms/templates/dashboard/_dashboard_xseries_info.html
index 5f52f36727..918f40b118 100644
--- a/lms/templates/dashboard/_dashboard_xseries_info.html
+++ b/lms/templates/dashboard/_dashboard_xseries_info.html
@@ -1,6 +1,8 @@
+<%page expression_filter="h"/>
 <%page args="program_data, enrollment_mode, display_category" />
 <%!
     from django.utils.translation import ugettext as _
+    from openedx.core.djangolib.markup import Text, HTML
 %>
 <%namespace name='static' file='../static_content.html'/>
     <div class="message message-status is-shown credit-message">
@@ -10,10 +12,10 @@
                     ${_("{category} Program: Interested in more courses in this subject?").format(category=display_category)}
                 </p>
                 <p class="message-copy">
-                    ${_("This course is 1 of {course_count} courses in the {link_start}{program_display_name}{link_end} {program_category}.").format(
+                    ${Text(_("This course is 1 of {course_count} courses in the {link_start}{program_display_name}{link_end} {program_category}.")).format(
                         course_count=program_data['course_count'],
-                        link_start='<a href="{}">'.format(program_data['program_marketing_url']),
-                        link_end='</a>',
+                        link_start=HTML('<a href="{}">').format(program_data['program_marketing_url']),
+                        link_end=HTML('</a>'),
                         program_display_name=program_data['display_name'],
                         program_category=display_category,
                     )}