Incident Management Security Fixes 5

cms/templates/js/active-video-upload-list.underscore

@@ -3,14 +3,14 @@
         <span class="icon fa fa-cloud-upload" aria-hidden="true"></span>
         <div class="text-container">
             <div class="video-uploads-header"><%- uploadHeader %></div>
-            <div class="video-upload-text"><%= uploadText %></div>
+            <div class="video-upload-text"><%= uploadText %></div> <% // xss-lint: disable=underscore-not-escaped %>
             <div class="video-max-file-size-text"><%- maxSizeText %></div>
             <div class="video-allowed-extensions-text"><%- supportedVideosText %></div>
         </div>
     </div>
     <input type="file" class="sr js-file-input" name="file" multiple>
 </form>
 <section class="active-video-upload-container">
-    <h3 class="sr"><%= gettext("Active Uploads") %></h3>
+    <h3 class="sr"><%- gettext("Active Uploads") %></h3>
     <ul class="active-video-upload-list"></ul>
 </section>

cms/templates/js/active-video-upload.underscore

@@ -1,5 +1,5 @@
 <h4 class="video-detail-name"><%- fileName %></h4>
-<progress class="video-detail-progress" value="<%= progress %>"></progress>
+<progress class="video-detail-progress" value="<%- progress %>"></progress>
 <div class="video-upload-status">
     <span class="icon alert-icon fa fa-warning upload-failure" aria-hidden="true"></span>
     <span class="video-detail-status"><%- gettext(status) %></span>

cms/templates/js/course-outline-modal.underscore

@@ -1,4 +1,4 @@
-<div class="xblock-editor" data-locator="<%= xblockInfo.get('id') %>" data-course-key="<%= xblockInfo.get('courseKey') %>">
+<div class="xblock-editor" data-locator="<%- xblockInfo.get('id') %>" data-course-key="<%- xblockInfo.get('courseKey') %>">
     <div class="message modal-introduction">
         <p><%- introductionMessage %></p>
     </div>

cms/templates/js/edit-xblock-modal.underscore

@@ -1 +1 @@
-<div class="xblock-editor" data-locator="<%= xblockInfo.get('id') %>" data-course-key="<%= xblockInfo.get('courseKey') %>"></div>
+<div class="xblock-editor" data-locator="<%- xblockInfo.get('id') %>" data-course-key="<%- xblockInfo.get('courseKey') %>"></div>

cms/templates/js/editor-mode-button.underscore

@@ -1,3 +1,3 @@
-<li class="action-item" data-mode="<%= mode %>">
-    <a href="#" class="<%= mode %>-button"><%= displayName %></a>
+<li class="action-item" data-mode="<%- mode %>">
+    <a href="#" class="<%- mode %>-button"><%- displayName %></a>
 </li>

cms/templates/js/mock/mock-xmodule-settings-only-editor.underscore

@@ -12,13 +12,13 @@
 
         <script id="metadata-string-entry" type="text/template">
             <div class="wrapper-comp-setting">
-                \t<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name') %></label>
-                \t<input class="input setting-input" type="text" id="<%= uniqueId %>" value='<%= model.get("value") %>'/>
+                \t<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name') %></label>
+                \t<input class="input setting-input" type="text" id="<%- uniqueId %>" value='<%- model.get("value") %>'/>
                 \t<button class="action setting-clear inactive" type="button" name="setting-clear" value="Clear" data-tooltip="Clear">
                 <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"Clear Value"</span>
                 </button>
             </div>
-            <span class="tip setting-help"><%= model.get('help') %></span>
+            <span class="tip setting-help"><%- model.get('help') %></span>
 
         </script>
 

common/static/common/templates/components/paging-footer.underscore

@@ -1,20 +1,20 @@
-<nav class="pagination pagination-full bottom" aria-label="<%= paginationLabel %>">
-    <div class="nav-item previous"><button class="nav-link previous-page-link"><span class="icon fa fa-angle-left" aria-hidden="true"></span> <span class="nav-label"><%= gettext("Previous") %></span></button></div>
+<nav class="pagination pagination-full bottom" aria-label="<%- paginationLabel %>">
+    <div class="nav-item previous"><button class="nav-link previous-page-link"><span class="icon fa fa-angle-left" aria-hidden="true"></span> <span class="nav-label"><%- gettext("Previous") %></span></button></div>
     <div class="nav-item page">
         <div class="pagination-form">
-            <label class="page-number-label" for="page-number-input"><%= interpolate(
+            <label class="page-number-label" for="page-number-input"><%- interpolate(
                     gettext("Page number out of %(total_pages)s"),
                     {total_pages: total_pages},
                     true
                 )%></label>
             <input id="page-number-input" class="page-number-input" name="page-number" type="text" size="4" autocomplete="off" aria-describedby="page-number-input-helper"/>
-            <span class="sr field-helper" id="page-number-input-helper"><%= gettext("Enter the page number you'd like to quickly navigate to.") %></span>
+            <span class="sr field-helper" id="page-number-input-helper"><%- gettext("Enter the page number you'd like to quickly navigate to.") %></span>
         </div>
 
-        <span class="current-page"><%= current_page %></span>
+        <span class="current-page"><%- current_page %></span>
         <span class="sr">&nbsp;out of&nbsp;</span>
         <span class="page-divider" aria-hidden="true">/</span>
-        <span class="total-pages"><%= total_pages %></span>
+        <span class="total-pages"><%- total_pages %></span>
     </div>
-    <div class="nav-item next"><button class="nav-link next-page-link"><span class="nav-label"><%= gettext("Next") %></span> <span class="icon fa fa-angle-right" aria-hidden="true"></span></button></div>
+    <div class="nav-item next"><button class="nav-link next-page-link"><span class="nav-label"><%- gettext("Next") %></span> <span class="icon fa fa-angle-right" aria-hidden="true"></span></button></div>
 </nav>

common/static/common/templates/image-modal.underscore

@@ -1,6 +1,6 @@
 <div class="wrapper-modal wrapper-modal-image">
   <section class="image-link">
-    <%= smallHTML%>
+    <%= smallHTML%> <% // xss-lint: disable=underscore-not-escaped %>
     <a href="#" class="modal-ui-icon action-fullscreen" role="button">
       <span class="label">
         <span class="icon fa fa-arrows-alt fa-large" aria-hidden="true"></span> <%- gettext("Fullscreen") %>
@@ -11,7 +11,7 @@
   <section class="image-modal">
     <section class="image-content">
       <div class="image-wrapper">
-        <img alt="<%= largeALT %>, <%- gettext('Large') %>" src="<%= largeSRC %>" />
+        <img alt="<%- largeALT %>, <%- gettext('Large') %>" src="<%- largeSRC %>" />
       </div>
 
       <a href="#" class="modal-ui-icon action-close" role="button">

common/static/js/capa/drag_and_drop/container.js

@@ -1,20 +1,13 @@
 (function(requirejs, require, define) {
-    define([], function() {
+    define(['edx-ui-toolkit/js/utils/html-utils'], function(HtmlUtils) {
         return Container;
 
         function Container(state) {
             state.containerEl = $(
-            '<div ' +
-                'style=" ' +
-                    'clear: both; ' +
-                    'width: 665px; ' +
-                    'margin-left: auto; ' +
-                    'margin-right: auto; ' +
-                '" ' +
-            '></div>'
-        );
+                '<div style=" clear: both; width: 665px; margin-left: auto; margin-right: auto; " ></div>'
+            );
 
-            $('#inputtype_' + state.problemId).before(state.containerEl);
+            $('#inputtype_' + state.problemId).before(HtmlUtils.HTML(state.containerEl).toString());
         }
     }); // End-of: define([], function () {
 }(RequireJS.requirejs, RequireJS.require, RequireJS.define)); // End-of: (function (requirejs, require, define) {

common/static/js/src/tooltip_manager.js

@@ -8,7 +8,7 @@
         if (!this.tooltip.length) {
             this.tooltip = $('<div />', {
                 class: this.className
-            }).appendTo(this.element);
+            }).appendTo(this.element); // xss-lint: disable=javascript-jquery-insert-into-target
         }
 
         this.hide();
@@ -58,7 +58,7 @@
             pageY = typeof pageY !== 'undefined' ? pageY : element.offset().top + element.height() / 2;
             var tooltipText = $(element).attr('data-tooltip');
             this.tooltip
-                .html(tooltipText)
+                .text(tooltipText)
                 .css(this.getCoords(pageX, pageY));
         },