From fee681be683da42037141310313cb04e2b00cc53 Mon Sep 17 00:00:00 2001
From: Calen Pennington <cale@edx.org>
Date: Wed, 15 Oct 2014 14:00:54 -0400
Subject: [PATCH] Escape xblock wrapper data attributes and css classes for
 safe html

---
 common/djangoapps/xmodule_modifiers.py | 7 ++++---
 common/templates/xblock_wrapper.html   | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/common/djangoapps/xmodule_modifiers.py b/common/djangoapps/xmodule_modifiers.py
index ee8f6a7a78..2349f1e3be 100644
--- a/common/djangoapps/xmodule_modifiers.py
+++ b/common/djangoapps/xmodule_modifiers.py
@@ -7,6 +7,7 @@ import json
 import logging
 import static_replace
 import uuid
+import markupsafe
 
 from django.conf import settings
 from django.utils.timezone import UTC
@@ -71,7 +72,7 @@ def wrap_xblock(runtime_class, block, view, frag, context, usage_id_serializer,
 
     data = {}
     data.update(extra_data)
-    css_classes = ['xblock', 'xblock-{}'.format(view)]
+    css_classes = ['xblock', 'xblock-{}'.format(markupsafe.escape(view))]
 
     if isinstance(block, (XModule, XModuleDescriptor)):
         if view in PREVIEW_VIEWS:
@@ -81,7 +82,7 @@ def wrap_xblock(runtime_class, block, view, frag, context, usage_id_serializer,
             # The block is acting as an XModuleDescriptor
             css_classes.append('xmodule_edit')
 
-        css_classes.append('xmodule_' + class_name)
+        css_classes.append('xmodule_' + markupsafe.escape(class_name))
         data['type'] = block.js_module_name
         shim_xmodule_js(frag)
 
@@ -100,7 +101,7 @@ def wrap_xblock(runtime_class, block, view, frag, context, usage_id_serializer,
         'content': block.display_name if display_name_only else frag.content,
         'classes': css_classes,
         'display_name': block.display_name_with_default,
-        'data_attributes': u' '.join(u'data-{}="{}"'.format(key, value)
+        'data_attributes': u' '.join(u'data-{}="{}"'.format(markupsafe.escape(key), markupsafe.escape(value))
                                      for key, value in data.iteritems()),
     }
 
diff --git a/common/templates/xblock_wrapper.html b/common/templates/xblock_wrapper.html
index 2bb3ba97e9..74574907df 100644
--- a/common/templates/xblock_wrapper.html
+++ b/common/templates/xblock_wrapper.html
@@ -1,4 +1,4 @@
-<div class="${' '.join(classes)}" ${data_attributes}>
+<div class="${' '.join(classes) | n}" ${data_attributes}>
 % if js_pass_parameters:
   <script type="json/xblock-args" class="xblock_json_init_args">
     ${js_init_parameters}