Use xss-utils package for interpolate_html filters

This would switch all reference of interpolate_html filter from credentials to xss-utils package. Also removing htmlescape filter to use django builtin force_escape. LEARNER-6899
openedx · Jan 1, 2019 · 1fc58b8 · 1fc58b8
1 parent ffe8b18
commit 1fc58b8
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 25 deletions.
diff --git a/edx_credentials_themes/__init__.py b/edx_credentials_themes/__init__.py
@@ -1 +1 @@
-__version__ = '0.1.25'
+__version__ = '0.1.26'
diff --git a/edx_credentials_themes/templates/edx.org/credentials/programs/base.html b/edx_credentials_themes/templates/edx.org/credentials/programs/base.html
@@ -1,7 +1,7 @@
 {% extends 'credentials/programs/base.html' %}
 {% load i18n %}
 {% load i18n_assets %}
-{% load html %}
+{% load django_markup %}
 
 
 {% block background_watermark %}
@@ -17,7 +17,7 @@
     <div class="accomplishment-metadata">
       <div class="accomplishment-metadata-bit accomplishment-metadata-aboutplatform">
         <h3 class="accomplishment-metadata-title">
-          {% trans "About edX" as tmsg %}{{ tmsg | htmlescape }}
+          {% trans "About edX" as tmsg %}{{ tmsg | force_escape }}
         </h3>
         <p class="accomplishment-metadata-copy">
           {% blocktrans trimmed asvar accomplishment_metadata_details %}

diff --git a/edx_credentials_themes/templates/edx.org/credentials/programs/micromasters/certificate.html b/edx_credentials_themes/templates/edx.org/credentials/programs/micromasters/certificate.html
@@ -1,9 +1,9 @@
 {% extends 'edx.org/credentials/programs/base.html' %}
 {% load i18n %}
-{% load html %}
+{% load django_markup %}
 
 {% block message %}
-  {% filter htmlescape %}
+  {% filter force_escape %}
     {# Translators: MicroMasters should not be translated #}
     {% blocktrans trimmed with organization_name=program_details.organizations.0.key %}
       You worked hard to earn your MicroMasters Credential from {{ organization_name }}.
@@ -13,17 +13,17 @@
 
 {% block accomplishment_summary %}
   {# Translators: MicroMasters should not be translated, this phrase is preceded by the learner's name and followed by a program title #}
-  {% trans "has successfully completed all courses and received passing grades for a MicroMasters credential in" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "has successfully completed all courses and received passing grades for a MicroMasters credential in" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_stamp_title %}
   {# Translators: MicroMasters should not be translated #}
-  {% trans "MicroMasters credential" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "MicroMasters credential" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_metadata_title %}
   {# Translators: MicroMasters should not be translated #}
-  {% trans "About the edX MicroMasters credential" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "About the edX MicroMasters credential" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_metadata %}

diff --git a/...s_themes/templates/edx.org/credentials/programs/professional-certificate/certificate.html b/...s_themes/templates/edx.org/credentials/programs/professional-certificate/certificate.html
@@ -1,18 +1,18 @@
 {% extends 'edx.org/credentials/programs/base.html' %}
 {% load i18n %}
-{% load html %}
+{% load django_markup %}
 
 {% block accomplishment_summary %}
   {# Translators: This phrase is preceded by the learner's name and followed by a program title #}
-  {% trans "successfully completed all courses and received passing grades for a Professional Certificate in" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "successfully completed all courses and received passing grades for a Professional Certificate in" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_stamp_title %}
-  {% trans "Professional Certificate" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "Professional Certificate" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_metadata_title %}
-  {% trans "About the edX Professional Certificate" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "About the edX Professional Certificate" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_metadata %}

diff --git a/edx_credentials_themes/templates/edx.org/credentials/programs/xseries/certificate.html b/edx_credentials_themes/templates/edx.org/credentials/programs/xseries/certificate.html
@@ -1,9 +1,9 @@
 {% extends 'edx.org/credentials/programs/base.html' %}
 {% load i18n %}
-{% load html %}
+{% load django_markup %}
 
 {% block message %}
-  {% filter htmlescape  %}
+  {% filter force_escape  %}
     {# Translators: XSeries should not be translated #}
     {% blocktrans trimmed with organization_name=program_details.organizations.0.key %}
       You worked hard to earn your XSeries Program certificate from {{ organization_name }}.
@@ -13,17 +13,17 @@
 
 {% block accomplishment_summary %}
   {# Translators: XSeries should not be translated, this phrase is preceded by the learner's name and followed by a program title #}
-  {% trans "has successfully completed all courses and received passing grades for an XSeries Program certificate in" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "has successfully completed all courses and received passing grades for an XSeries Program certificate in" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_stamp_title %}
   {# Translators: XSeries should not be translated #}
-  {% trans "XSeries Program certificate" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "XSeries Program certificate" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_metadata_title %}
   {# Translators: XSeries should not be translated #}
-  {% trans "About the edX XSeries Program certificate" as tmsg %}{{ tmsg | htmlescape }}
+  {% trans "About the edX XSeries Program certificate" as tmsg %}{{ tmsg | force_escape }}
 {% endblock %}
 
 {% block accomplishment_metadata %}

diff --git a/edx_credentials_themes/templates/mitpe/_footer.html b/edx_credentials_themes/templates/mitpe/_footer.html
@@ -1,6 +1,5 @@
 {% load i18n %}
 {% load staticfiles %}
-{% load html %}
 
 <div class="wrapper-footer">
   <footer class="footer-app" role="contentinfo">
@@ -9,12 +8,12 @@
         <ul class="list list-legal">
           <li class="nav-item">
             <a class="action" href="{{ site.siteconfiguration.tos_url }}">
-              {% trans "Terms of Service" as tmsg %}{{ tmsg | htmlescape }}
+              {% trans "Terms of Service" as tmsg %}{{ tmsg | force_escape }}
             </a>
           </li>
           <li class="nav-item">
             <a class="action" href="{{ site.siteconfiguration.privacy_policy_url }}">
-              {% trans "Privacy Policy" as tmsg %}{{ tmsg | htmlescape }}
+              {% trans "Privacy Policy" as tmsg %}{{ tmsg | force_escape }}
             </a>
           </li>
         </ul>
@@ -25,7 +24,7 @@
             &copy; <a href="{{ site.siteconfiguration.homepage_url }}">
                       {{ site.siteconfiguration.company_name }}</a>
           </span>
-          {% trans "All rights reserved except where noted." as tmsg %}{{ tmsg | htmlescape }}
+          {% trans "All rights reserved except where noted." as tmsg %}{{ tmsg | force_escape }}
         </p>
       </div>
     </div>

diff --git a/edx_credentials_themes/templates/mitpe/credentials/programs/base.html b/edx_credentials_themes/templates/mitpe/credentials/programs/base.html
@@ -27,11 +27,11 @@
       <div class="wrapper-accomplishment-statement">
         <div class="accomplishment-statement">
           <p class="accomplishment-statement-lead">
-            <span class="accomplishment-statement-detail copy">{% trans "This is to certify that" as tmsg %}{{ tmsg | htmlescape }}</span>
+            <span class="accomplishment-statement-detail copy">{% trans "This is to certify that" as tmsg %}{{ tmsg | force_escape }}</span>
             <strong class="accomplishment-recipient">{{ user_data.name }}</strong>
             <img class="accomplishment-logo" src="{% static 'mitpe/images/mit-seal.png' %}"
                  alt="Massachusetts Institute of Technology">
-            <span class="accomplishment-summary copy">{% trans "has successfully completed the" as tmsg %}{{ tmsg | htmlescape }}</span>
+            <span class="accomplishment-summary copy">{% trans "has successfully completed the" as tmsg %}{{ tmsg | force_escape }}</span>
 
             <span class="accomplishment-course">
                 <span
@@ -44,7 +44,7 @@
                       {% endblock %}
                 </span>
                 <span class="accomplishment-program-type">PROFESSIONAL CERTIFICATE PROGRAM</span>
-                <span class="sr-only">{% trans "held during" as tmsg %}{{ tmsg | htmlescape }}</span>
+                <span class="sr-only">{% trans "held during" as tmsg %}{{ tmsg | force_escape }}</span>
                 <span class="accomplishment-course-dates">{% block program_dates %}{% endblock %}</span>
                 <span
                     class="accomplishment-course-time">
@@ -55,7 +55,7 @@
         </div>
       </div>
       <div class="accomplishment-signatories">
-        <h3 class="accomplishment-signatories-title sr-only">{% trans "Noted by" as tmsg %}{{ tmsg | htmlescape }}</h3>
+        <h3 class="accomplishment-signatories-title sr-only">{% trans "Noted by" as tmsg %}{{ tmsg | force_escape }}</h3>
         <div class="wrapper-signatories">
           <div class="list-signatories">
             {% for signatory in user_credential.credential.signatories.all %}