From 358ed2559af215b139866aa9402bb7b85b603a31 Mon Sep 17 00:00:00 2001
From: cahrens <christina@edx.org>
Date: Fri, 11 Mar 2016 18:04:56 -0500
Subject: [PATCH] Fix improper escaping.

---
 cms/static/js/views/content_group_details.js  |  6 ++--
 .../js/content-group-details.underscore       | 25 ++++++++-------
 .../js/group-configuration-details.underscore | 31 ++++++++++---------
 .../cohort_management.html                    |  3 +-
 4 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/cms/static/js/views/content_group_details.js b/cms/static/js/views/content_group_details.js
index 4357b04aaa..4b6ed76820 100644
--- a/cms/static/js/views/content_group_details.js
+++ b/cms/static/js/views/content_group_details.js
@@ -75,18 +75,18 @@ define([
         },
 
         getOutlineAnchorMessage: function () {
-            var message = gettext(
+            var message = _.escape(gettext(
                     /*
                         Translators: 'outlineAnchor' is an anchor pointing to
                         the course outline page.
                     */
                     'This content group is not in use. Add a content group to any unit from the %(outlineAnchor)s.'
-                ),
+                )),
                 anchor = str.sprintf(
                     '<a href="%(url)s" title="%(text)s">%(text)s</a>',
                     {
                             url: this.model.collection.parents[0].outlineUrl,
-                            text: gettext('Course Outline')
+                            text: _.escape(gettext('Course Outline'))
                     }
                 );
 
diff --git a/cms/templates/js/content-group-details.underscore b/cms/templates/js/content-group-details.underscore
index b5bc267411..670fab89fb 100644
--- a/cms/templates/js/content-group-details.underscore
+++ b/cms/templates/js/content-group-details.underscore
@@ -3,7 +3,7 @@
         <h3 class="title">
             <a href="#" class="toggle group-toggle <% if (showContentGroupUsages){ print('hide'); } else { print('show'); } %>-groups">
                 <i class="ui-toggle-expansion icon fa fa-caret-<% if (showContentGroupUsages){ print('down'); } else { print('right'); } %>"></i>
-                <%= name %>
+                <%- name %>
             </a>
         </h3>
     </header>
@@ -11,28 +11,28 @@
    <ol class="collection-info group-configuration-info group-configuration-info-<% if(showContentGroupUsages){ print('block'); } else { print('inline'); } %>">
      <% if (!_.isUndefined(id)) { %>
          <li class="group-configuration-id"
-             ><span class="group-configuration-label"><%= gettext('ID') %>: </span
-             ><span class="group-configuration-value"><%= id %></span
+             ><span class="group-configuration-label"><%- gettext('ID') %>: </span
+             ><span class="group-configuration-value"><%- id %></span
          ></li>
      <% } %>
      <% if (!showContentGroupUsages) { %>
           <li class="group-configuration-usage-count">
-             <%= usageCountMessage %>
+             <%- usageCountMessage %>
          </li>
      <% } %>
    </ol>
 
     <ul class="actions group-configuration-actions">
         <li class="action action-edit">
-            <button class="edit"><i class="icon fa fa-pencil"></i> <%= gettext("Edit") %></button>
+            <button class="edit"><i class="icon fa fa-pencil"></i> <%- gettext("Edit") %></button>
         </li>
         <% if (_.isEmpty(usage)) { %>
-            <li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Delete') %>">
-                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+            <li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Delete') %>">
+                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
             </li>
         <% } else { %>
-            <li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Cannot delete when in use by a unit') %>">
-                <button class="delete action-icon is-disabled" aria-disabled="true" disabled="disabled"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+            <li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Cannot delete when in use by a unit') %>">
+                <button class="delete action-icon is-disabled" aria-disabled="true" disabled="disabled"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
             </li>
         <% } %>
     </ul>
@@ -41,17 +41,18 @@
 <% if (showContentGroupUsages) { %>
   <div class="collection-references wrapper-group-configuration-usages">
     <% if (!_.isEmpty(usage)) { %>
-      <h4 class="intro group-configuration-usage-text"><%= gettext('This content group is used in:') %></h4>
+      <h4 class="intro group-configuration-usage-text"><%- gettext('This content group is used in:') %></h4>
       <ol class="usage group-configuration-usage">
         <% _.each(usage, function(unit) { %>
           <li class="usage-unit group-configuration-usage-unit">
-            <p><a href=<%= unit.url %> ><%= unit.label %></a></p>
+            <p><a href=<%- unit.url %> ><%- unit.label %></a></p>
           </li>
         <% }) %>
       </ol>
     <% } else { %>
         <p class="group-configuration-usage-text">
-        <%= outlineAnchorMessage %>
+          <!-- This contains an anchor link and therefore can't be escaped. -->
+          <%= outlineAnchorMessage %>
         </p>
     <% } %>
   </div>
diff --git a/cms/templates/js/group-configuration-details.underscore b/cms/templates/js/group-configuration-details.underscore
index c26afc56e4..4f5bc0374b 100644
--- a/cms/templates/js/group-configuration-details.underscore
+++ b/cms/templates/js/group-configuration-details.underscore
@@ -3,7 +3,7 @@
         <h3 class="title group-configuration-title">
             <a href="#" class="toggle group-toggle <% if(showGroups){ print('hide'); } else { print('show'); } %>-groups">
                 <i class="ui-toggle-expansion icon fa fa-caret-<% if(showGroups){ print('down'); } else { print('right'); } %>"></i>
-                <%= name %>
+                <%- name %>
             </a>
         </h3>
     </header>
@@ -11,20 +11,20 @@
     <ol class="collection-info group-configuration-info group-configuration-info-<% if(showGroups){ print('block'); } else { print('inline'); } %>">
       <% if (!_.isUndefined(id)) { %>
         <li class="group-configuration-id"
-            ><span class="group-configuration-label"><%= gettext('ID') %>: </span
-            ><span class="group-configuration-value"><%= id %></span
+            ><span class="group-configuration-label"><%- gettext('ID') %>: </span
+            ><span class="group-configuration-value"><%- id %></span
         ></li>
       <% } %>
       <% if (showGroups) { %>
         <li class="collection-description group-configuration-description">
-            <%= description %>
+            <%- description %>
         </li>
       <% } else { %>
         <li class="group-configuration-groups-count">
-            <%= groupsCountMessage %>
+            <%- groupsCountMessage %>
         </li>
         <li class="group-configuration-usage-count">
-            <%= usageCountMessage %>
+            <%- usageCountMessage %>
         </li>
       <% } %>
     </ol>
@@ -34,23 +34,23 @@
       <ol class="collection-items groups groups-<%= index %>">
         <% groups.each(function(group, groupIndex) { %>
           <li class="item group group-<%= groupIndex %>">
-            <span class="name group-name"><%= group.get('name') %></span>
-            <span class="meta group-allocation"><%= allocation %>%</span>
+            <span class="name group-name"><%- group.get('name') %></span>
+            <span class="meta group-allocation"><%- allocation %>%</span>
           </li>
         <% }) %>
       </ol>
     <% } %>
     <ul class="actions group-configuration-actions">
         <li class="action action-edit">
-            <button class="edit"><i class="icon fa fa-pencil"></i> <%= gettext("Edit") %></button>
+            <button class="edit"><i class="icon fa fa-pencil"></i> <%- gettext("Edit") %></button>
         </li>
         <% if (_.isEmpty(usage)) { %>
             <li class="action action-delete wrapper-delete-button">
-                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+                <button class="delete action-icon"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
             </li>
         <% } else { %>
-            <li class="action action-delete wrapper-delete-button" data-tooltip="<%= gettext('Cannot delete when in use by an experiment') %>">
-                <button class="delete action-icon is-disabled" aria-disabled="true"><i class="icon fa fa-trash-o"></i><span><%= gettext("Delete") %></span></button>
+            <li class="action action-delete wrapper-delete-button" data-tooltip="<%- gettext('Cannot delete when in use by an experiment') %>">
+                <button class="delete action-icon is-disabled" aria-disabled="true"><i class="icon fa fa-trash-o"></i><span><%- gettext("Delete") %></span></button>
             </li>
         <% } %>
     </ul>
@@ -58,11 +58,11 @@
 <% if(showGroups) { %>
   <div class="collection-references wrapper-group-configuration-usages">
     <% if (!_.isEmpty(usage)) { %>
-      <h4 class="intro group-configuration-usage-text"><%= gettext('This Group Configuration is used in:') %></h4>
+      <h4 class="intro group-configuration-usage-text"><%- gettext('This Group Configuration is used in:') %></h4>
       <ol class="usage group-configuration-usage">
         <% _.each(usage, function(unit) { %>
           <li class="usage-unit group-configuration-usage-unit">
-            <p><a href=<%= unit.url %> ><%= unit.label %></a></p>
+            <p><a href=<%- unit.url %> ><%- unit.label %></a></p>
             <% if (unit.validation) { %>
               <p>
                 <% if (unit.validation.type === 'warning') { %>
@@ -71,7 +71,7 @@
                   <i class="icon fa fa-exclamation-circle"></i>
                 <% } %>
                 <span class="usage-validation-message group-configuration-validation-message">
-                  <%= unit.validation.text %>
+                  <%- unit.validation.text %>
                 </span>
               </p>
             <% } %>
@@ -80,6 +80,7 @@
       </ol>
     <% } else { %>
       <p class="group-configuration-usage-text">
+        <!-- This contains an anchor link and therefore can't be escaped. -->
         <%= outlineAnchorMessage %>
       </p>
     <% } %>
diff --git a/lms/templates/instructor/instructor_dashboard_2/cohort_management.html b/lms/templates/instructor/instructor_dashboard_2/cohort_management.html
index 71d5fe0dfc..81fe4c4221 100644
--- a/lms/templates/instructor/instructor_dashboard_2/cohort_management.html
+++ b/lms/templates/instructor/instructor_dashboard_2/cohort_management.html
@@ -2,6 +2,7 @@
 <%namespace name='static' file='../../static_content.html'/>
 <%!
 from django.utils.translation import ugettext as _
+from openedx.core.djangolib.js_utils import js_escaped_string
 from courseware.courses import get_studio_url
 from openedx.core.djangoapps.course_groups.partition_scheme import get_cohorted_user_partition
 %>
@@ -27,7 +28,7 @@ from openedx.core.djangoapps.course_groups.partition_scheme import get_cohorted_
             % for content_group in content_groups:
             {
                 id: ${content_group.id},
-                name: "${content_group.name | h}",
+                name: "${content_group.name | n, js_escaped_string}",
                 user_partition_id: cohortUserPartitionId
             },
             % endfor