diff --git a/cms/static/js/spec/views/module_edit_spec.js b/cms/static/js/spec/views/module_edit_spec.js
index 04f2d2797e75edf966a0f2734d517a8fe0cc7a62..11a1b3c487391e480b6996beadc2332429f2c411 100644
--- a/cms/static/js/spec/views/module_edit_spec.js
+++ b/cms/static/js/spec/views/module_edit_spec.js
@@ -213,11 +213,11 @@ describe('ModuleEdit', function() {
return expect(this.moduleEdit.delegateEvents).toHaveBeenCalled();
});
it('loads inline css from fragments', function() {
- var args = "<style type='text/css'>inline-css</style>";
+ var args = '<style type="text/css">inline-css</style>';
return expect($('head').append).toHaveBeenCalledWith(args);
});
it('loads css urls from fragments', function() {
- var args = "<link rel='stylesheet' href='css-url' type='text/css'>";
+ var args = '<link rel="stylesheet" href="css-url" type="text/css">';
return expect($('head').append).toHaveBeenCalledWith(args);
});
it('loads inline js from fragments', function() {
diff --git a/cms/static/js/views/xblock.js b/cms/static/js/views/xblock.js
index 8436ec8c3f481e9d6534dfdf745e8299167e1f5d..235d2d4b97e0e99dccbd1c4f8c61fdcbac5f73be 100644
--- a/cms/static/js/views/xblock.js
+++ b/cms/static/js/views/xblock.js
@@ -1,5 +1,10 @@
-define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/views/baseview', 'xblock/runtime.v1'],
- function($, _, ViewUtils, BaseView, XBlock) {
+define(['jquery',
+ 'underscore',
+ 'common/js/components/utils/view_utils',
+ 'js/views/baseview',
+ 'xblock/runtime.v1',
+ 'edx-ui-toolkit/js/utils/html-utils'],
+ function($, _, ViewUtils, BaseView, XBlock, HtmlUtils) {
'use strict';
var XBlockView = BaseView.extend({
@@ -157,7 +162,7 @@ define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/vie
* @param html The desired HTML.
*/
updateHtml: function(element, html) {
- element.html(html);
+ HtmlUtils.setHtml(element, HtmlUtils.HTML(html));
},
/**
@@ -214,19 +219,22 @@ define(['jquery', 'underscore', 'common/js/components/utils/view_utils', 'js/vie
data = resource.data;
if (mimetype === 'text/css') {
if (kind === 'text') {
- $head.append("<style type='text/css'>" + data + '</style>');
+ // xss-lint: disable=javascript-jquery-append,javascript-concat-html
+ $head.append('<style type="text/css">' + data + '</style>');
} else if (kind === 'url') {
- $head.append("<link rel='stylesheet' href='" + data + "' type='text/css'>");
+ // xss-lint: disable=javascript-jquery-append,javascript-concat-html
+ $head.append('<link rel="stylesheet" href="' + data + '" type="text/css">');
}
} else if (mimetype === 'application/javascript') {
if (kind === 'text') {
+ // xss-lint: disable=javascript-jquery-append,javascript-concat-html
$head.append('<script>' + data + '</script>');
} else if (kind === 'url') {
return ViewUtils.loadJavaScript(data);
}
} else if (mimetype === 'text/html') {
if (placement === 'head') {
- $head.append(data);
+ HtmlUtils.append($head, HtmlUtils.HTML(data));
}
}
// Return an already resolved promise for synchronous updates
diff --git a/cms/templates/component.html b/cms/templates/component.html
index c42e3718984f441c8aa41394d5345d3c91a24c99..ccf3c5822585423d39d941fc4c6e03842ef5ad26 100644
--- a/cms/templates/component.html
+++ b/cms/templates/component.html
@@ -37,4 +37,4 @@
</ul>
</div>
<span data-tooltip="${_("Drag to reorder")}" class="drag-handle action"></span>
-${preview | n}
+${preview | n, decode.utf8}