diff --git a/lms/templates/ccx/coach_dashboard.html b/lms/templates/ccx/coach_dashboard.html
index 498a8d583a1955d11b448ad7a7f327db7ce8432c..0fb54c584836494339808d8683ef71cf75b7035c 100644
--- a/lms/templates/ccx/coach_dashboard.html
+++ b/lms/templates/ccx/coach_dashboard.html
@@ -129,8 +129,9 @@ from openedx.core.djangolib.js_utils import (
studentId = $('<input />', {
type: 'hidden',
name: 'student-id',
- value: selectedStudent
+ value: edx.HtmlUtils.ensureHtml(selectedStudent)
});
+ // xss-lint: disable=javascript-jquery-append
form.append(action, studentId).submit();
}
});
@@ -153,7 +154,7 @@ from openedx.core.djangolib.js_utils import (
$errorMessage.show();
return false;
} else if (hasCcxConnector) {
- $errorMessage.html('${use_ccx_con_error_message | n, js_escaped_string}');
+ $errorMessage.text('${use_ccx_con_error_message | n, js_escaped_string}');
$errorMessage.show();
return false;
}
diff --git a/lms/templates/components/card/card.underscore b/lms/templates/components/card/card.underscore
index 178d102b2983680c2681c395ed05a917d5e118df..06e8483ea03817fa58a01818f4a75ed9bda802ae 100644
--- a/lms/templates/components/card/card.underscore
+++ b/lms/templates/components/card/card.underscore
@@ -6,7 +6,7 @@
<% } %>
<h3 class="card-title"
<% if (!_.isUndefined(srInfo)) { %>
- aria-describedby="<%= srInfo.id %>"
+ aria-describedby="<%- srInfo.id %>"
<% } %>
><%- title %>
</h3>
@@ -17,7 +17,8 @@
<div class="card-meta">
</div>
<div class="card-actions">
- <a class="action <%= action_class %>" href="<%= action_url %>"><%= action_content %></a>
+ <% // xss-lint: disable=underscore-not-escaped %>
+ <a class="action <%- action_class %>" href="<%- action_url %>"><%= action_content %></a>
</div>
</div>
<% } else { %>
@@ -28,14 +29,15 @@
<% } %>
<h3 class="card-title"
<% if (!_.isUndefined(srInfo)) { %>
- aria-describedby="<%= srInfo.id %>"
+ aria-describedby="<%- srInfo.id %>"
<% } %>
><%- title %>
</h3>
<p class="card-description"><%- description %></p>
</div>
<div class="card-actions">
- <a class="action <%= action_class %>" href="<%= action_url %>"><%= action_content %></a>
+ <% // xss-lint: disable=underscore-not-escaped %>
+ <a class="action <%- action_class %>" href="<%- action_url %>"><%= action_content %></a>
</div>
</div>
<div class="wrapper-card-meta">
diff --git a/lms/templates/edxnotes/note-item.underscore b/lms/templates/edxnotes/note-item.underscore
index 941127984f152fe501545789a649f7443b9a0e1f..2ed78b7d34f1944b5f6f4f2cded546c0f016170a 100644
--- a/lms/templates/edxnotes/note-item.underscore
+++ b/lms/templates/edxnotes/note-item.underscore
@@ -18,6 +18,7 @@
<li class="note-comment">
<p class="note-comment-title"><%- gettext("You commented...") %></p>
<p class="note-comment-p">
+ <% // xss-lint: disable=underscore-not-escaped %>
<%= interpolate_text(_.escape(text), {
elasticsearch_highlight_start: '<span class="note-highlight">',
elasticsearch_highlight_end: '</span>'
@@ -32,7 +33,7 @@
<div class="wrapper-reference-content">
<p class="reference-title"><%- gettext("Noted in:") %></p>
<% if (unit.url) { %>
- <a class="reference-meta reference-unit-link" href="<%= unit.url %>#<%= id %>"><%- unit.display_name %></a>
+ <a class="reference-meta reference-unit-link" href="<%- unit.url %>#<%- id %>"><%- unit.display_name %></a>
<% } else { %>
<span class="reference-meta"><%- unit.display_name %></span>
<% } %>
@@ -44,6 +45,7 @@
<p class="reference-title"><%- gettext("Tags:") %></p>
<% for (var i = 0; i < tags.length; i++) { %>
<span class="reference-meta reference-tags">
+ <% // xss-lint: disable=underscore-not-escaped %>
<%= interpolate_text(_.escape(tags[i]), {
elasticsearch_highlight_start: '<span class="note-highlight">',
elasticsearch_highlight_end: '</span>'
diff --git a/lms/templates/edxnotes/tab-item.underscore b/lms/templates/edxnotes/tab-item.underscore
index 91b6de9814f6a02fa3a6f9425c5ac44da851e557..86530d1cd8bf0ffaa734a9bcbd4fccfc49659150 100644
--- a/lms/templates/edxnotes/tab-item.underscore
+++ b/lms/templates/edxnotes/tab-item.underscore
@@ -1,7 +1,7 @@
<% var hasIcon = icon ? 1 : 0; %>
<a class="tab-label <% if (hasIcon) { print('has-icon') } %>" href="#">
- <% if (hasIcon) { %><span class="icon <%= icon %>" aria-hidden="true"></span> <% } %><%- gettext(name) %>
+ <% if (hasIcon) { %><span class="icon <%- icon %>" aria-hidden="true"></span> <% } %><%- gettext(name) %>
</a>
<% if (is_closable) { %>
diff --git a/lms/templates/fields/field_image.underscore b/lms/templates/fields/field_image.underscore
index 79c422ed30e0c7813adb6348ca782aef41fae640..07ce9cf3e7c6d51341de65e14e6c883dc1039c90 100644
--- a/lms/templates/fields/field_image.underscore
+++ b/lms/templates/fields/field_image.underscore
@@ -1,16 +1,18 @@
<div class="image-wrapper">
- <img class="image-frame" src="<%- imageUrl %>" alt="<%=imageAltText%>"/>
+ <img class="image-frame" src="<%- imageUrl %>" alt="<%-imageAltText%>"/>
<div class="u-field-actions">
<label class="u-field-upload-button">
+ <% // xss-lint: disable=underscore-not-escaped %>
<span class="upload-button-icon" aria-hidden="true"><%= uploadButtonIcon %></span>
- <span class="upload-button-title" aria-live="polite"><%= uploadButtonTitle %></span>
- <input class="upload-button-input" type="file" name="<%= inputName %>"/>
+ <span class="upload-button-title" aria-live="polite"><%- uploadButtonTitle %></span>
+ <input class="upload-button-input" type="file" name="<%- inputName %>"/>
</label>
- <button class="upload-submit" type="button" hidden="true"><%= uploadButtonTitle %></button>
+ <button class="upload-submit" type="button" hidden="true"><%- uploadButtonTitle %></button>
<button class="u-field-remove-button" type="button">
+ <% // xss-lint: disable=underscore-not-escaped %>
<span class="remove-button-icon" aria-hidden="true"><%= removeButtonIcon %></span>
- <span class="remove-button-title" aria-live="polite"><%= removeButtonTitle %></span>
- <span class="sr"><%= screenReaderTitle %></span>
+ <span class="remove-button-title" aria-live="polite"><%- removeButtonTitle %></span>
+ <span class="sr"><%- screenReaderTitle %></span>
</button>
</div>
</div>
diff --git a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore
index 1052b32bc65e82a66e7ffdd61471f29b268d51a8..88b3c773971f44e2ba5e741ef4f2ec363e7d6052 100644
--- a/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore
+++ b/lms/templates/instructor/instructor_dashboard_2/enrollment-code-lookup-links.underscore
@@ -12,7 +12,7 @@
<td> <%- is_registration_code_valid %> </td>
<td>
<% _.each(actions, function(action){ %>
- <a class="registration_code_action_link" data-registration-code="<%= action.registration_code %>" data-action-type="<%= action.action_type %>" href="#" data-endpoint="<%= action.action_url %>">
+ <a class="registration_code_action_link" data-registration-code="<%- action.registration_code %>" data-action-type="<%- action.action_type %>" href="#" data-endpoint="<%- action.action_url %>">
<%- action.action_name %>
</a>
<% }); %>
diff --git a/lms/templates/learner_dashboard/program_card.underscore b/lms/templates/learner_dashboard/program_card.underscore
index 11c474b5ae023aaa00e25c65b97cdc607dfd10e6..de98c952dd157ee14e5ef21d00629d2604f1f81b 100644
--- a/lms/templates/learner_dashboard/program_card.underscore
+++ b/lms/templates/learner_dashboard/program_card.underscore
@@ -57,7 +57,7 @@
<source srcset="<%- smallBannerUrl %>" media="(max-width: <%- breakpoints.max.small %>)">
<source srcset="<%- mediumBannerUrl %>" media="(max-width: <%- breakpoints.max.medium %>)">
<source srcset="<%- xsmallBannerUrl %>" media="(max-width: <%- breakpoints.max.large %>)">
- <img class="banner-image" srcset="<%- smallBannerUrl %>" alt="<%= interpolate(gettext('%(programName)s Home Page.'), {programName: title}, true)%>">
+ <img class="banner-image" srcset="<%- smallBannerUrl %>" alt="<%- interpolate(gettext('%(programName)s Home Page.'), {programName: title}, true)%>">
</picture>
</div>
</a>
diff --git a/lms/templates/video.html b/lms/templates/video.html
index d475106caba32728ea17352ca66026731d96d353..51fcddd3eabc076d901991842e784262f84368ce 100644
--- a/lms/templates/video.html
+++ b/lms/templates/video.html
@@ -2,7 +2,9 @@
<%!
from django.utils.translation import ugettext as _
-from openedx.core.djangolib.js_utils import js_escaped_string
+from openedx.core.djangolib.js_utils import (
+ dump_js_escaped_json, js_escaped_string
+)
%>
% if display_name is not UNDEFINED and display_name is not None:
<h3 class="hd hd-2">${display_name}</h3>
@@ -98,14 +100,14 @@ from openedx.core.djangolib.js_utils import js_escaped_string
var salt = Math.floor((1 + Math.random()) * 0x100000).toString(36);
var id = "${id | n, js_escaped_string}";
function initializeCDNExperiment() {
- sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, "", "load");
+ sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, "", "load");
cdnStartTime = Date.now();
$.each(['loadstart', 'abort', 'error', 'stalled', 'loadedmetadata',
'loadeddata', 'canplay', 'canplaythrough', 'seeked'],
function(index, eventName) {
$("#video_" + id).bind("html5:" + eventName, null, function() {
timeElapsed = Date.now() - cdnStartTime;
- sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group}, timeElapsed, eventName);
+ sendPerformanceBeacon(id + "_" + salt, ${cdn_exp_group | n, dump_js_escaped_json}, timeElapsed, eventName);
});
});
}