From 224a841171ae4de1f67a12efe631aa8836b08e7e Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Mon, 24 Aug 2020 10:29:53 -0500
Subject: [PATCH 1/8] backport of security patch from PR 24258 upstream

---
 .../certificates/views/certificate_editor.js  |   7 +-
 .../certificates/views/certificate_preview.js |  14 +-
 .../certificates/views/signatory_details.js   |  15 +-
 .../js/certificates/views/signatory_editor.js |  27 +--
 .../js/maintenance/force_publish_course.js    |   6 +-
 .../js/models/settings/course_details.js      |  28 ++-
 .../models/settings/course_grading_policy.js  |  27 ++-
 cms/static/js/views/abstract_editor.js        |   1 +
 cms/static/js/views/asset.js                  |  23 +--
 cms/static/js/views/course_info_handout.js    | 179 +++++++++---------
 .../templates/cors_csrf/xdomain_proxy.html    |  11 +-
 .../learner_profile/js/views/badge_view.js    |   7 +-
 .../js/views/section_two_tab.js               |  10 +-
 .../js/views/share_modal_view.js              |   7 +-
 .../ace_common/edx_ace/common/base_body.html  |  20 +-
 .../course_about_sidebar_header.html          |   5 +-
 16 files changed, 213 insertions(+), 174 deletions(-)

diff --git a/cms/static/js/certificates/views/certificate_editor.js b/cms/static/js/certificates/views/certificate_editor.js
index e08ac582b46..fa19bd2de25 100644
--- a/cms/static/js/certificates/views/certificate_editor.js
+++ b/cms/static/js/certificates/views/certificate_editor.js
@@ -8,10 +8,11 @@ define([
     'js/views/list_item_editor',
     'js/certificates/models/signatory',
     'js/certificates/views/signatory_editor',
-    'text!templates/certificate-editor.underscore'
+    'text!templates/certificate-editor.underscore',
+    'edx-ui-toolkit/js/utils/html-utils'
 ],
 function($, _, Backbone, gettext,
-         ListItemEditorView, SignatoryModel, SignatoryEditorView, certificateEditorTemplate) {
+         ListItemEditorView, SignatoryModel, SignatoryEditorView, certificateEditorTemplate, HtmlUtils) {
     'use strict';
 
     // If signatories limit is required to specific value then we can change it.
@@ -75,7 +76,7 @@ function($, _, Backbone, gettext,
                     isEditingAllCollections: true,
                     eventAgg: self.eventAgg
                 });
-                self.$('div.signatory-edit-list').append($(signatory_view.render()));
+                self.$('div.signatory-edit-list').append(HtmlUtils.HTML((signatory_view.render())).toString());
             });
             this.disableAddSignatoryButton();
             return this;
diff --git a/cms/static/js/certificates/views/certificate_preview.js b/cms/static/js/certificates/views/certificate_preview.js
index d07f3d1fdca..5300f784c9f 100644
--- a/cms/static/js/certificates/views/certificate_preview.js
+++ b/cms/static/js/certificates/views/certificate_preview.js
@@ -8,9 +8,10 @@ define([
     'js/views/baseview',
     'common/js/components/utils/view_utils',
     'common/js/components/views/feedback_notification',
-    'text!templates/certificate-web-preview.underscore'
+    'text!templates/certificate-web-preview.underscore',
+    'edx-ui-toolkit/js/utils/html-utils'
 ],
-function(_, gettext, BaseView, ViewUtils, NotificationView, certificateWebPreviewTemplate) {
+function(_, gettext, BaseView, ViewUtils, NotificationView, certificateWebPreviewTemplate, HtmlUtils) {
     'use strict';
     var CertificateWebPreview = BaseView.extend({
         el: $('.preview-certificate'),
@@ -27,7 +28,7 @@ function(_, gettext, BaseView, ViewUtils, NotificationView, certificateWebPrevie
         },
 
         render: function() {
-            this.$el.html(_.template(certificateWebPreviewTemplate)({
+            HtmlUtils.setHtml(this.$el, HtmlUtils.template(certificateWebPreviewTemplate)({
                 course_modes: this.course_modes,
                 certificate_web_view_url: this.certificate_web_view_url,
                 is_active: this.is_active
@@ -36,13 +37,8 @@ function(_, gettext, BaseView, ViewUtils, NotificationView, certificateWebPrevie
         },
 
         toggleCertificateActivation: function() {
-            var msg = 'Activating';
-            if (this.is_active) {
-                msg = 'Deactivating';
-            }
-
             var notification = new NotificationView.Mini({
-                title: gettext(msg)
+                title: gettext(this.is_active ? 'Deactivating' : 'Activating')
             });
 
             $.ajax({
diff --git a/cms/static/js/certificates/views/signatory_details.js b/cms/static/js/certificates/views/signatory_details.js
index 9d6543e2793..9286b282599 100644
--- a/cms/static/js/certificates/views/signatory_details.js
+++ b/cms/static/js/certificates/views/signatory_details.js
@@ -11,10 +11,11 @@ define([
     'js/views/baseview',
     'js/certificates/views/signatory_editor',
     'text!templates/signatory-details.underscore',
-    'text!templates/signatory-actions.underscore'
+    'text!templates/signatory-actions.underscore',
+    'edx-ui-toolkit/js/utils/html-utils'
 ],
 function($, _, str, Backbone, gettext, TemplateUtils, ViewUtils, BaseView, SignatoryEditorView,
-          signatoryDetailsTemplate, signatoryActionsTemplate) {
+          signatoryDetailsTemplate, signatoryActionsTemplate, HtmlUtils) {
     'use strict';
     var SignatoryDetailsView = BaseView.extend({
         tagName: 'div',
@@ -52,20 +53,20 @@ function($, _, str, Backbone, gettext, TemplateUtils, ViewUtils, BaseView, Signa
         editSignatory: function(event) {
             // Retrieve the edit view for this model
             if (event && event.preventDefault) { event.preventDefault(); }
-            this.$el.html(this.edit_view.render());
-            $(_.template(signatoryActionsTemplate)()).appendTo(this.el);
+            this.$el.html(HtmlUtils.HTML(this.edit_view.render()).toString());
+            this.$el.append(HtmlUtils.template(signatoryActionsTemplate)().toString());
             this.edit_view.delegateEvents();
             this.delegateEvents();
         },
 
         saveSignatoryData: function(event) {
             // Persist the data for this model
-            if (event && event.preventDefault) { event.preventDefault(); }
             var certificate = this.model.get('certificate');
+            var self = this;
+            if (event && event.preventDefault) { event.preventDefault(); }
             if (!certificate.isValid()) {
                 return;
             }
-            var self = this;
             ViewUtils.runOperationShowingMessage(
                 gettext('Saving'),
                 function() {
@@ -94,7 +95,7 @@ function($, _, str, Backbone, gettext, TemplateUtils, ViewUtils, BaseView, Signa
             var attributes = $.extend({}, this.model.attributes, {
                 signatory_number: this.model.collection.indexOf(this.model) + 1
             });
-            return $(this.el).html(_.template(signatoryDetailsTemplate)(attributes));
+            return HtmlUtils.setHtml(this.$el, HtmlUtils.template(signatoryDetailsTemplate)(attributes));
         }
     });
     return SignatoryDetailsView;
diff --git a/cms/static/js/certificates/views/signatory_editor.js b/cms/static/js/certificates/views/signatory_editor.js
index 21d53f7f20b..9c70e68a443 100644
--- a/cms/static/js/certificates/views/signatory_editor.js
+++ b/cms/static/js/certificates/views/signatory_editor.js
@@ -11,11 +11,12 @@ define([
     'common/js/components/views/feedback_notification',
     'js/models/uploads',
     'js/views/uploads',
-    'text!templates/signatory-editor.underscore'
+    'text!templates/signatory-editor.underscore',
+    'edx-ui-toolkit/js/utils/html-utils'
 ],
 function($, _, Backbone, gettext,
           TemplateUtils, ViewUtils, PromptView, NotificationView, FileUploadModel, FileUploadDialog,
-          signatoryEditorTemplate) {
+          signatoryEditorTemplate, HtmlUtils) {
     'use strict';
     var SignatoryEditorView = Backbone.View.extend({
         tagName: 'div',
@@ -78,7 +79,7 @@ function($, _, Backbone, gettext,
                 is_editing_all_collections: this.isEditingAllCollections,
                 total_saved_signatories: this.getTotalSignatoriesOnServer()
             });
-            return $(this.el).html(_.template(signatoryEditorTemplate)(attributes));
+            return HtmlUtils.setHtml(this.$el, HtmlUtils.template(signatoryEditorTemplate)(attributes));
         },
 
         setSignatoryName: function(event) {
@@ -127,10 +128,9 @@ function($, _, Backbone, gettext,
 
         deleteItem: function(event) {
             // Remove the specified model from the collection
-            if (event && event.preventDefault) { event.preventDefault(); }
             var model = this.model;
             var self = this;
-            var titleTextTemplate = _.template(gettext('Delete "<%= signatoryName %>" from the list of signatories?'));
+            var titleTextTemplate = _.template(gettext('Delete "<%- signatoryName %>" from the list of signatories?'));
             var confirm = new PromptView.Warning({
                 title: titleTextTemplate({signatoryName: model.get('name')}),
                 message: gettext('This action cannot be undone.'),
@@ -148,9 +148,9 @@ function($, _, Backbone, gettext,
                                 deleting.show();
                                 model.destroy({
                                     wait: true,
-                                    success: function(model) {
+                                    success: function(model2) {
                                         deleting.hide();
-                                        self.eventAgg.trigger('onSignatoryRemoved', model);
+                                        self.eventAgg.trigger('onSignatoryRemoved', model2);
                                     }
                                 });
                             }
@@ -165,18 +165,20 @@ function($, _, Backbone, gettext,
                     }
                 }
             });
+            if (event && event.preventDefault) { event.preventDefault(); }
             confirm.show();
         },
 
         uploadSignatureImage: function(event) {
+            var upload, self, modal;
             event.preventDefault();
-            var upload = new FileUploadModel({
+            upload = new FileUploadModel({
                 title: gettext('Upload signature image.'),
                 message: gettext('Image must be in PNG format.'),
                 mimeTypes: ['image/png']
             });
-            var self = this;
-            var modal = new FileUploadDialog({
+            self = this;
+            modal = new FileUploadDialog({
                 model: upload,
                 onSuccess: function(response) {
                     self.model.set('signature_image_path', response.asset.url);
@@ -192,12 +194,13 @@ function($, _, Backbone, gettext,
         */
         toggleValidationErrorMessage: function(modelAttribute) {
             var selector = 'div.add-signatory-' + modelAttribute;
+            var errorMessage;
             if (!this.model.isValid() && _.has(this.model.validationError, modelAttribute)) {
                 // Show the error message if it is not exist before.
                 if (!$(selector).hasClass('error')) {
-                    var errorMessage = this.model.validationError[modelAttribute];
+                    errorMessage = this.model.validationError[modelAttribute];
                     $(selector).addClass('error');
-                    $(selector).append("<span class='message-error'>" + errorMessage + '</span>');
+                    $(selector).append(HtmlUtils.joinHtml(HtmlUtils.HTML("<span class='message-error'>"), errorMessage, HtmlUtils.HTML('</span>')).toString()); // eslint-disable-line max-len
                 }
             } else {
                 // Remove the error message.
diff --git a/cms/static/js/maintenance/force_publish_course.js b/cms/static/js/maintenance/force_publish_course.js
index 65e93ff725f..e7eed221d67 100644
--- a/cms/static/js/maintenance/force_publish_course.js
+++ b/cms/static/js/maintenance/force_publish_course.js
@@ -22,7 +22,11 @@ function($, _, gettext, ViewUtils, StringUtils, HtmlUtils) {
         showError = function(containerElSelector, error) {
             var errorWrapperElSelector, errorHtml;
             errorWrapperElSelector = containerElSelector + ' .wrapper-error';
-            errorHtml = '<div class="error" aria-live="polite" id="course-id-error">' + error + '</div>';
+            errorHtml = HtmlUtils.joinHtml(
+                HtmlUtils.HTML('<div class="error" aria-live="polite" id="course-id-error">'),
+                error,
+                HtmlUtils.HTML('</div>')
+            );
             HtmlUtils.setHtml($(errorWrapperElSelector), HtmlUtils.HTML(errorHtml));
             $(errorWrapperElSelector).css('display', 'inline-block');
             $(errorWrapperElSelector).fadeOut(5000);
diff --git a/cms/static/js/models/settings/course_details.js b/cms/static/js/models/settings/course_details.js
index 394883d4809..c0d8c506f4f 100644
--- a/cms/static/js/models/settings/course_details.js
+++ b/cms/static/js/models/settings/course_details.js
@@ -1,5 +1,8 @@
-define(['backbone', 'underscore', 'gettext', 'js/models/validation_helpers', 'js/utils/date_utils'],
-    function(Backbone, _, gettext, ValidationHelpers, DateUtils) {
+define(['backbone', 'underscore', 'gettext', 'js/models/validation_helpers', 'js/utils/date_utils',
+    'edx-ui-toolkit/js/utils/string-utils'
+],
+    function(Backbone, _, gettext, ValidationHelpers, DateUtils, StringUtils) {
+        'use strict';
         var CourseDetails = Backbone.Model.extend({
             defaults: {
                 org: '',
@@ -51,11 +54,17 @@ define(['backbone', 'underscore', 'gettext', 'js/models/validation_helpers', 'js
                 if (newattrs.start_date && newattrs.end_date && newattrs.start_date >= newattrs.end_date) {
                     errors.end_date = gettext('The course end date must be later than the course start date.');
                 }
-                if (newattrs.start_date && newattrs.enrollment_start && newattrs.start_date < newattrs.enrollment_start) {
-                    errors.enrollment_start = gettext('The course start date must be later than the enrollment start date.');
+                if (newattrs.start_date && newattrs.enrollment_start &&
+                  newattrs.start_date < newattrs.enrollment_start) {
+                    errors.enrollment_start = gettext(
+                      'The course start date must be later than the enrollment start date.'
+                    );
                 }
-                if (newattrs.enrollment_start && newattrs.enrollment_end && newattrs.enrollment_start >= newattrs.enrollment_end) {
-                    errors.enrollment_end = gettext('The enrollment start date cannot be after the enrollment end date.');
+                if (newattrs.enrollment_start && newattrs.enrollment_end &&
+                  newattrs.enrollment_start >= newattrs.enrollment_end) {
+                    errors.enrollment_end = gettext(
+                      'The enrollment start date cannot be after the enrollment end date.'
+                    );
                 }
                 if (newattrs.end_date && newattrs.enrollment_end && newattrs.end_date < newattrs.enrollment_end) {
                     errors.enrollment_end = gettext('The enrollment end date cannot be after the course end date.');
@@ -78,7 +87,9 @@ define(['backbone', 'underscore', 'gettext', 'js/models/validation_helpers', 'js
                         max: 100
                     };
                     if (!ValidationHelpers.validateIntegerRange(newattrs.entrance_exam_minimum_score_pct, range)) {
-                        errors.entrance_exam_minimum_score_pct = interpolate(gettext('Please enter an integer between %(min)s and %(max)s.'), range, true);
+                        errors.entrance_exam_minimum_score_pct = StringUtils.interpolate(gettext(
+                          'Please enter an integer between %(min)s and %(max)s.'
+                        ), range, true);
                     }
                 }
                 if (!_.isEmpty(errors)) return errors;
@@ -90,7 +101,8 @@ define(['backbone', 'underscore', 'gettext', 'js/models/validation_helpers', 'js
             set_videosource: function(newsource) {
         // newsource either is <video youtube="speed:key, *"/> or just the "speed:key, *" string
         // returns the videosource for the preview which iss the key whose speed is closest to 1
-                if (_.isEmpty(newsource) && !_.isEmpty(this.get('intro_video'))) this.set({intro_video: null}, {validate: true});
+                if (_.isEmpty(newsource) &&
+                  !_.isEmpty(this.get('intro_video'))) this.set({intro_video: null}, {validate: true});
         // TODO remove all whitespace w/in string
                 else {
                     if (this.get('intro_video') !== newsource) this.set('intro_video', newsource, {validate: true});
diff --git a/cms/static/js/models/settings/course_grading_policy.js b/cms/static/js/models/settings/course_grading_policy.js
index 5b2e7003d89..f954e5bf038 100644
--- a/cms/static/js/models/settings/course_grading_policy.js
+++ b/cms/static/js/models/settings/course_grading_policy.js
@@ -1,6 +1,7 @@
 /* globals _ */
-define(['backbone', 'js/models/location', 'js/collections/course_grader'],
-    function(Backbone, Location, CourseGraderCollection) {
+define(['backbone', 'js/models/location', 'js/collections/course_grader', 'edx-ui-toolkit/js/utils/string-utils'],
+    function(Backbone, Location, CourseGraderCollection, StringUtils) {
+        'use strict';
         var CourseGradingPolicy = Backbone.Model.extend({
             defaults: {
                 graders: null,  // CourseGraderCollection
@@ -37,9 +38,15 @@ define(['backbone', 'js/models/location', 'js/collections/course_grader'],
             },
             gracePeriodToDate: function() {
                 var newDate = new Date();
-                if (this.has('grace_period') && this.get('grace_period').hours) { newDate.setHours(this.get('grace_period').hours); } else newDate.setHours(0);
-                if (this.has('grace_period') && this.get('grace_period').minutes) { newDate.setMinutes(this.get('grace_period').minutes); } else newDate.setMinutes(0);
-                if (this.has('grace_period') && this.get('grace_period').seconds) { newDate.setSeconds(this.get('grace_period').seconds); } else newDate.setSeconds(0);
+                if (this.has('grace_period') && this.get('grace_period').hours) {
+                    newDate.setHours(this.get('grace_period').hours);
+                } else newDate.setHours(0);
+                if (this.has('grace_period') && this.get('grace_period').minutes) {
+                    newDate.setMinutes(this.get('grace_period').minutes);
+                } else newDate.setMinutes(0);
+                if (this.has('grace_period') && this.get('grace_period').seconds) {
+                    newDate.setSeconds(this.get('grace_period').seconds);
+                } else newDate.setSeconds(0);
 
                 return newDate;
             },
@@ -62,6 +69,7 @@ define(['backbone', 'js/models/location', 'js/collections/course_grader'],
                 return parseInt(minimum_grade_credit);
             },
             validate: function(attrs) {
+                var minimumGradeCutoff;
                 if (_.has(attrs, 'grace_period')) {
                     if (attrs.grace_period === null) {
                         return {
@@ -71,12 +79,13 @@ define(['backbone', 'js/models/location', 'js/collections/course_grader'],
                 }
                 if (this.get('is_credit_course') && _.has(attrs, 'minimum_grade_credit')) {
             // Getting minimum grade cutoff value
-                    var minimum_grade_cutoff = _.min(_.values(attrs.grade_cutoffs));
-                    if (isNaN(attrs.minimum_grade_credit) || attrs.minimum_grade_credit === null || attrs.minimum_grade_credit < minimum_grade_cutoff) {
+                    minimumGradeCutoff = _.min(_.values(attrs.grade_cutoffs));
+                    if (isNaN(attrs.minimum_grade_credit) || attrs.minimum_grade_credit === null ||
+                      attrs.minimum_grade_credit < minimumGradeCutoff) {
                         return {
-                            minimum_grade_credit: interpolate(
+                            minimum_grade_credit: StringUtils.interpolate(
                         gettext('Not able to set passing grade to less than %(minimum_grade_cutoff)s%.'),
-                        {minimum_grade_cutoff: minimum_grade_cutoff * 100},
+                        {minimum_grade_cutoff: minimumGradeCutoff * 100},
                         true
                     )
                         };
diff --git a/cms/static/js/views/abstract_editor.js b/cms/static/js/views/abstract_editor.js
index 81ff65a5e1c..c67fc164ad2 100644
--- a/cms/static/js/views/abstract_editor.js
+++ b/cms/static/js/views/abstract_editor.js
@@ -9,6 +9,7 @@ define(['js/views/baseview', 'underscore'], function(BaseView, _) {
             // Backbone model cid is only unique within the collection.
             this.uniqueId = _.uniqueId(templateName + '_');
             this.template = this.loadTemplate(templateName);
+            // xss-lint: disable=javascript-jquery-html
             this.$el.html(this.template({model: this.model, uniqueId: this.uniqueId}));
             this.listenTo(this.model, 'change', this.render);
             this.render();
diff --git a/cms/static/js/views/asset.js b/cms/static/js/views/asset.js
index 541ffe780c5..ee5721343cc 100644
--- a/cms/static/js/views/asset.js
+++ b/cms/static/js/views/asset.js
@@ -1,6 +1,7 @@
 define(['js/views/baseview', 'underscore', 'gettext', 'common/js/components/views/feedback_prompt',
-    'common/js/components/views/feedback_notification'],
-    function(BaseView, _, gettext, PromptView, NotificationView) {
+    'common/js/components/views/feedback_notification', 'edx-ui-toolkit/js/utils/html-utils'],
+    function(BaseView, _, gettext, PromptView, NotificationView, HtmlUtils) {
+        'use strict';
         var AssetView = BaseView.extend({
             initialize: function() {
                 this.template = this.loadTemplate('asset');
@@ -14,7 +15,7 @@ define(['js/views/baseview', 'underscore', 'gettext', 'common/js/components/view
 
             render: function() {
                 var uniqueId = _.uniqueId('lock_asset_');
-                this.$el.html(this.template({
+                var attributes = {
                     display_name: this.model.get('display_name'),
                     thumbnail: this.model.get('thumbnail'),
                     date_added: this.model.get('date_added'),
@@ -23,32 +24,32 @@ define(['js/views/baseview', 'underscore', 'gettext', 'common/js/components/view
                     portable_url: this.model.get('portable_url'),
                     asset_type: this.model.get_extension(),
                     uniqueId: uniqueId
-                }));
+                };
+                this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString());
                 this.updateLockState();
                 return this;
             },
 
             updateLockState: function() {
-                var locked_class = 'is-locked';
+                var lockedClass = 'is-locked';
 
     // Add a class of "locked" to the tr element if appropriate,
     // and toggle locked state of hidden checkbox.
                 if (this.model.get('locked')) {
-                    this.$el.addClass(locked_class);
+                    this.$el.addClass(lockedClass);
                     this.$el.find('.lock-checkbox').attr('checked', 'checked');
                 } else {
-                    this.$el.removeClass(locked_class);
+                    this.$el.removeClass(lockedClass);
                     this.$el.find('.lock-checkbox').removeAttr('checked');
                 }
             },
 
             confirmDelete: function(e) {
+                var asset = this.model;
                 if (e && e.preventDefault) { e.preventDefault(); }
-                var asset = this.model,
-                    collection = this.model.collection;
                 new PromptView.Warning({
                     title: gettext('Delete File Confirmation'),
-                    message: gettext('Are you sure you wish to delete this item. It cannot be reversed!\n\nAlso any content that links/refers to this item will no longer work (e.g. broken images and/or links)'),
+                    message: gettext('Are you sure you wish to delete this item. It cannot be reversed!\n\nAlso any content that links/refers to this item will no longer work (e.g. broken images and/or links)'), // eslint-disable-line max-len
                     actions: {
                         primary: {
                             text: gettext('Delete'),
@@ -76,7 +77,7 @@ define(['js/views/baseview', 'underscore', 'gettext', 'common/js/components/view
                 }).show();
             },
 
-            lockAsset: function(e) {
+            lockAsset: function() {
                 var asset = this.model;
                 var saving = new NotificationView.Mini({
                     title: gettext('Saving')
diff --git a/cms/static/js/views/course_info_handout.js b/cms/static/js/views/course_info_handout.js
index f2fcc8723fd..621f644b2cf 100644
--- a/cms/static/js/views/course_info_handout.js
+++ b/cms/static/js/views/course_info_handout.js
@@ -1,102 +1,105 @@
-define(['js/views/baseview', 'codemirror', 'common/js/components/views/feedback_notification', 'js/views/course_info_helper', 'js/utils/modal'],
-    function(BaseView, CodeMirror, NotificationView, CourseInfoHelper, ModalUtils) {
+define([
+    'js/views/baseview',
+    'codemirror',
+    'common/js/components/views/feedback_notification',
+    'js/views/course_info_helper',
+    'js/utils/modal',
+    'edx-ui-toolkit/js/utils/html-utils'
+],
+function(BaseView, CodeMirror, NotificationView, CourseInfoHelper, ModalUtils, HtmlUtils) {
+    'use strict';
     // the handouts view is dumb right now; it needs tied to a model and all that jazz
-        var CourseInfoHandoutsView = BaseView.extend({
-        // collection is CourseUpdateCollection
-            events: {
-                'click .save-button': 'onSave',
-                'click .cancel-button': 'onCancel',
-                'click .edit-button': 'onEdit'
-            },
+    var CourseInfoHandoutsView = BaseView.extend({
+    // collection is CourseUpdateCollection
+        events: {
+            'click .save-button': 'onSave',
+            'click .cancel-button': 'onCancel',
+            'click .edit-button': 'onEdit'
+        },
 
-            initialize: function() {
-                this.template = this.loadTemplate('course_info_handouts');
-                var self = this;
-                this.model.fetch({
-                    complete: function() {
-                        self.render();
-                    },
-                    reset: true
-                });
-            },
-
-            render: function() {
-                CourseInfoHelper.changeContentToPreview(
-                this.model, 'data', this.options.base_asset_url);
-
-                this.$el.html(
-                $(this.template({
-                    model: this.model
-                }))
-            );
-                $('.handouts-content').html(this.model.get('data'));
-                this.$preview = this.$el.find('.handouts-content');
-                this.$form = this.$el.find('.edit-handouts-form');
-                this.$editor = this.$form.find('.handouts-content-editor');
-                this.$form.hide();
+        initialize: function() {
+            var self = this;
+            this.template = this.loadTemplate('course_info_handouts');
+            this.model.fetch({
+                complete: function() {
+                    self.render();
+                },
+                reset: true
+            });
+        },
 
-                return this;
-            },
+        render: function() {
+            CourseInfoHelper.changeContentToPreview(
+            this.model, 'data', this.options.base_asset_url);
+            this.$el.html(HtmlUtils.HTML($(this.template({model: this.model}))).toString());
+            HtmlUtils.setHtml($('.handouts-content'), HtmlUtils.HTML(this.model.get('data')));
+            this.$preview = this.$el.find('.handouts-content');
+            this.$form = this.$el.find('.edit-handouts-form');
+            this.$editor = this.$form.find('.handouts-content-editor');
+            this.$form.hide();
 
-            onEdit: function(event) {
-                var self = this;
-                this.$editor.val(this.$preview.html());
-                this.$form.show();
+            return this;
+        },
 
-                this.$codeMirror = CourseInfoHelper.editWithCodeMirror(
-                self.model, 'data', self.options.base_asset_url, this.$editor.get(0));
+        onEdit: function() {
+            var self = this;
+            this.$editor.val(this.$preview.html());
+            this.$form.show();
 
-                ModalUtils.showModalCover(false, function() { self.closeEditor(); });
-            },
+            this.$codeMirror = CourseInfoHelper.editWithCodeMirror(
+            self.model, 'data', self.options.base_asset_url, this.$editor.get(0));
 
-            onSave: function(event) {
-                var handoutsContent = this.$codeMirror.getValue();
-                $('#handout_error').removeClass('is-shown');
-                $('.save-button').removeClass('is-disabled').attr('aria-disabled', false);
-                if ($('.CodeMirror-lines').find('.cm-error').length == 0) {
-                    if (handoutsContent === '') {
-                        handoutsContent = '<ol></ol>';
-                    }
-                    this.model.set('data', handoutsContent);
-                    var saving = new NotificationView.Mini({
-                        title: gettext('Saving')
-                    });
-                    saving.show();
-                    this.model.save({}, {
-                        success: function() {
-                            saving.hide();
-                        }
-                    });
-                    this.render();
-                    this.$form.hide();
-                    this.closeEditor();
+            ModalUtils.showModalCover(false, function() { self.closeEditor(); });
+        },
 
-                    analytics.track('Saved Course Handouts', {
-                        course: course_location_analytics
-                    });
-                } else {
-                    $('#handout_error').addClass('is-shown');
-                    $('.save-button').addClass('is-disabled').attr('aria-disabled', true);
-                    event.preventDefault();
+        onSave: function(event) {
+            var saving = new NotificationView.Mini({
+                title: gettext('Saving')
+            });
+            var handoutsContent = this.$codeMirror.getValue();
+            $('#handout_error').removeClass('is-shown');
+            $('.save-button').removeClass('is-disabled').attr('aria-disabled', false);
+            if ($('.CodeMirror-lines').find('.cm-error').length === 0) {
+                if (handoutsContent === '') {
+                    handoutsContent = '<ol></ol>';
                 }
-            },
-
-            onCancel: function(event) {
-                $('#handout_error').removeClass('is-shown');
-                $('.save-button').removeClass('is-disabled').attr('aria-disabled', false);
+                this.model.set('data', handoutsContent);
+                saving.show();
+                this.model.save({}, {
+                    success: function() {
+                        saving.hide();
+                    }
+                });
+                this.render();
                 this.$form.hide();
                 this.closeEditor();
-            },
 
-            closeEditor: function() {
-                $('#handout_error').removeClass('is-shown');
-                $('.save-button').removeClass('is-disabled').attr('aria-disabled', false);
-                this.$form.hide();
-                ModalUtils.hideModalCover();
-                this.$form.find('.CodeMirror').remove();
-                this.$codeMirror = null;
+                analytics.track('Saved Course Handouts', { // eslint-disable-line no-undef
+                    course: course_location_analytics // eslint-disable-line no-undef
+                });
+            } else {
+                $('#handout_error').addClass('is-shown');
+                $('.save-button').addClass('is-disabled').attr('aria-disabled', true);
+                event.preventDefault();
             }
-        });
+        },
+
+        onCancel: function() {
+            $('#handout_error').removeClass('is-shown');
+            $('.save-button').removeClass('is-disabled').attr('aria-disabled', false);
+            this.$form.hide();
+            this.closeEditor();
+        },
+
+        closeEditor: function() {
+            $('#handout_error').removeClass('is-shown');
+            $('.save-button').removeClass('is-disabled').attr('aria-disabled', false);
+            this.$form.hide();
+            ModalUtils.hideModalCover();
+            this.$form.find('.CodeMirror').remove();
+            this.$codeMirror = null;
+        }
+    });
 
-        return CourseInfoHandoutsView;
-    }); // end define()
+    return CourseInfoHandoutsView;
+}); // end define()
diff --git a/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html b/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html
index 66d1a4a31ad..7c74321daad 100644
--- a/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html
+++ b/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html
@@ -1,5 +1,12 @@
-<%namespace name='static' file='../static_content.html'/>
+<%page expression_filter="h"/>
 
+<%namespace name='static' file='../static_content.html'/>
+<%!
+from openedx.core.djangolib.js_utils import (
+    dump_js_escaped_json
+)
+%>
+<%! import json %>
 <!DOCTYPE HTML>
 <script src="${static.url('js/vendor/xdomain.min.js')}"></script>
-<script>xdomain.masters(${xdomain_masters});</script>
+<script>xdomain.masters(${json.loads(xdomain_masters) | n, dump_js_escaped_json});</script>
diff --git a/openedx/features/learner_profile/static/learner_profile/js/views/badge_view.js b/openedx/features/learner_profile/static/learner_profile/js/views/badge_view.js
index cb68d8595c9..85432491698 100644
--- a/openedx/features/learner_profile/static/learner_profile/js/views/badge_view.js
+++ b/openedx/features/learner_profile/static/learner_profile/js/views/badge_view.js
@@ -5,9 +5,10 @@
         [
             'gettext', 'jquery', 'underscore', 'backbone', 'moment',
             'text!learner_profile/templates/badge.underscore',
-            'learner_profile/js/views/share_modal_view'
+            'learner_profile/js/views/share_modal_view',
+            'edx-ui-toolkit/js/utils/html-utils'
         ],
-        function(gettext, $, _, Backbone, Moment, badgeTemplate, ShareModalView) {
+        function(gettext, $, _, Backbone, Moment, badgeTemplate, ShareModalView, HtmlUtils) {
             var BadgeView = Backbone.View.extend({
                 initialize: function(options) {
                     this.options = _.extend({}, options);
@@ -35,7 +36,7 @@
                     modal.$el.fadeIn('short', 'swing', _.bind(modal.ready, modal));
                 },
                 render: function() {
-                    this.$el.html(this.template(this.context));
+                    this.$el.html(HtmlUtils.HTML(this.template(this.context)).toString());
                     this.shareButton = this.$el.find('.share-button');
                     return this;
                 }
diff --git a/openedx/features/learner_profile/static/learner_profile/js/views/section_two_tab.js b/openedx/features/learner_profile/static/learner_profile/js/views/section_two_tab.js
index 03e675db3c6..23064c9e6b6 100644
--- a/openedx/features/learner_profile/static/learner_profile/js/views/section_two_tab.js
+++ b/openedx/features/learner_profile/static/learner_profile/js/views/section_two_tab.js
@@ -3,9 +3,10 @@
 
     define(
         [
-            'gettext', 'jquery', 'underscore', 'backbone', 'text!learner_profile/templates/section_two.underscore'
+            'gettext', 'jquery', 'underscore', 'backbone', 'text!learner_profile/templates/section_two.underscore',
+            'edx-ui-toolkit/js/utils/html-utils'
         ],
-        function(gettext, $, _, Backbone, sectionTwoTemplate) {
+        function(gettext, $, _, Backbone, sectionTwoTemplate, HtmlUtils) {
             var SectionTwoTab = Backbone.View.extend({
                 attributes: {
                     class: 'wrapper-profile-section-two'
@@ -17,10 +18,7 @@
                 render: function() {
                     var self = this;
                     var showFullProfile = this.options.showFullProfile();
-                    this.$el.html(this.template({
-                        ownProfile: self.options.ownProfile,
-                        showFullProfile: showFullProfile
-                    }));
+                    this.$el.html(HtmlUtils.HTML(this.template({ownProfile: self.options.ownProfile, showFullProfile: showFullProfile})).toString()); // eslint-disable-line max-len
                     if (showFullProfile) {
                         _.each(this.options.viewList, function(fieldView) {
                             self.$el.find('.field-container').append(fieldView.render().el);
diff --git a/openedx/features/learner_profile/static/learner_profile/js/views/share_modal_view.js b/openedx/features/learner_profile/static/learner_profile/js/views/share_modal_view.js
index 0e8f4884909..c018c3479ba 100644
--- a/openedx/features/learner_profile/static/learner_profile/js/views/share_modal_view.js
+++ b/openedx/features/learner_profile/static/learner_profile/js/views/share_modal_view.js
@@ -4,9 +4,10 @@
     define(
         [
             'gettext', 'jquery', 'underscore', 'backbone', 'moment',
-            'text!learner_profile/templates/share_modal.underscore'
+            'text!learner_profile/templates/share_modal.underscore',
+            'edx-ui-toolkit/js/utils/html-utils'
         ],
-        function(gettext, $, _, Backbone, Moment, badgeModalTemplate) {
+        function(gettext, $, _, Backbone, Moment, badgeModalTemplate, HtmlUtils) {
             var ShareModalView = Backbone.View.extend({
                 attributes: {
                     class: 'badges-overlay'
@@ -45,7 +46,7 @@
                     this.$el.find('.badges-modal').focus();
                 },
                 render: function() {
-                    this.$el.html(this.template(this.model.toJSON()));
+                    this.$el.html(HtmlUtils.HTML(this.template(this.model.toJSON())).toString());
                     return this;
                 }
             });
diff --git a/themes/red-theme/lms/templates/ace_common/edx_ace/common/base_body.html b/themes/red-theme/lms/templates/ace_common/edx_ace/common/base_body.html
index 548fa6dc878..8d51b16498d 100644
--- a/themes/red-theme/lms/templates/ace_common/edx_ace/common/base_body.html
+++ b/themes/red-theme/lms/templates/ace_common/edx_ace/common/base_body.html
@@ -64,7 +64,7 @@
                         <td width="70">
                             <a href="{% with_link_tracking homepage_url %}"><img
                                     src="http://localhost:18000/static/red-theme/images/logo.png"
-                                    alt="{% blocktrans %}Go to {{ platform_name }} Home Page{% endblocktrans %}"/></a>
+                                    alt="{% filter force_escape %} {% blocktrans %}Go to {{ platform_name }} Home Page{% endblocktrans %} {% endfilter %}"/></a>
                         </td>
                         <td align="right" style="text-align: {{ LANGUAGE_BIDI|yesno:"left,right" }};">
                             <a class="login" href="{% with_link_tracking dashboard_url %}" style="color: #960909;">{%  trans "Sign In" %}</a>
@@ -97,7 +97,7 @@
                                         <td height="32" width="42">
                                             <a href="{{ social_media_urls.linkedin|safe }}">
                                                 <img src="https://media.sailthru.com/595/1k1/8/o/599f354ec70cb.png"
-                                                     width="32" height="32" alt="{% blocktrans %}{{ platform_name }} on LinkedIn{% endblocktrans %}"/>
+                                                     width="32" height="32" alt="{% filter force_escape %} {% blocktrans %}{{ platform_name }} on LinkedIn{% endblocktrans %} {% endfilter %}"/>
                                             </a>
                                         </td>
                                     {% endif %}
@@ -105,7 +105,7 @@
                                         <td height="32" width="42">
                                             <a href="{{ social_media_urls.twitter|safe }}">
                                                 <img src="https://media.sailthru.com/595/1k1/8/o/599f354d9c26e.png"
-                                                     width="32" height="32" alt="{% blocktrans %}{{ platform_name }} on Twitter{% endblocktrans %}"/>
+                                                     width="32" height="32" alt="{% filter force_escape %} {% blocktrans %}{{ platform_name }} on Twitter{% endblocktrans %} {% endfilter %}"/>
                                             </a>
                                         </td>
                                     {% endif %}
@@ -113,7 +113,7 @@
                                         <td height="32" width="42">
                                             <a href="{{ social_media_urls.facebook|safe }}">
                                                 <img src="https://media.sailthru.com/595/1k1/8/o/599f355052c8e.png"
-                                                     width="32" height="32" alt="{% blocktrans %}{{ platform_name }} on Facebook{% endblocktrans %}"/>
+                                                     width="32" height="32" alt="{% filter force_escape %} {% blocktrans %}{{ platform_name }} on Facebook{% endblocktrans %} {% endfilter %}"/>
                                             </a>
                                         </td>
                                     {% endif %}
@@ -121,7 +121,7 @@
                                         <td height="32" width="42">
                                             <a href="{{ social_media_urls.google_plus|safe }}">
                                                 <img src="https://media.sailthru.com/595/1k1/8/o/599f354fc554a.png"
-                                                     width="32" height="32" alt="{% blocktrans %}{{ platform_name }} on Google Plus{% endblocktrans %}"/>
+                                                     width="32" height="32" alt="{% filter force_escape %} {% blocktrans %}{{ platform_name }} on Google Plus{% endblocktrans %} {% endfilter %}"/>
                                             </a>
                                         </td>
                                     {% endif %}
@@ -129,7 +129,7 @@
                                         <td height="32" width="42">
                                             <a href="{{ social_media_urls.reddit|safe }}">
                                                 <img src="https://media.sailthru.com/595/1k1/8/o/599f354e326b9.png"
-                                                     width="32" height="32" alt="{% blocktrans %}{{ platform_name }} on Reddit{% endblocktrans %}"/>
+                                                     width="32" height="32" alt="{% filter force_escape %} {% blocktrans %}{{ platform_name }} on Reddit{% endblocktrans %} {% endfilter %}"/>
                                             </a>
                                         </td>
                                     {% endif %}
@@ -143,14 +143,14 @@
                             {% if mobile_store_urls.apple %}
                                 <a href="{{ mobile_store_urls.apple|safe }}" style="text-decoration: none">
                                     <img src="https://media.sailthru.com/595/1k1/6/2/5931cfbba391b.png"
-                                         alt="{% trans "Download the iOS app on the Apple Store" %}"
+                                         alt="{% trans "Download the iOS app on the Apple Store" as tmsg %}{{ tmsg | force_escape }}"
                                          width="136" height="50" style="margin-{{ LANGUAGE_BIDI|yesno:"left,right" }}: 10px"/>
                                 </a>
                             {% endif %}
                             {% if mobile_store_urls.google %}
                                 <a href="{{ mobile_store_urls.google|safe }}" style="text-decoration: none">
                                     <img src="https://media.sailthru.com/595/1k1/6/2/5931cf879a033.png"
-                                         alt="{% trans "Download the Android app on the Google Play Store" %}"
+                                         alt="{% trans "Download the Android app on the Google Play Store" as tmsg %}{{ tmsg | force_escape }}"
                                          width="136" height="50"/>
                                 </a>
                             {% endif %}
@@ -171,9 +171,9 @@
                     <tr>
                         <!-- COPYRIGHT -->
                         <td>
-                            &copy; {% now "Y" %} {{ platform_name }}, {% trans "All rights reserved" %}.<br/>
+                            &copy; {% now "Y" %} {{ platform_name }}, {% trans "All rights reserved" as tmsg %}{{ tmsg | force_escape }}.<br/>
                             <br/>
-                            {% trans "Our mailing address is" %}:<br/>
+                            {% trans "Our mailing address is" as tmsg %}{{ tmsg | force_escape }}:<br/>
                             {{ contact_mailing_address }}
                         </td>
                     </tr>
diff --git a/themes/stanford-style/lms/templates/courseware/course_about_sidebar_header.html b/themes/stanford-style/lms/templates/courseware/course_about_sidebar_header.html
index e1694ce3d06..ee6566d91cd 100644
--- a/themes/stanford-style/lms/templates/courseware/course_about_sidebar_header.html
+++ b/themes/stanford-style/lms/templates/courseware/course_about_sidebar_header.html
@@ -1,3 +1,4 @@
+<%page expression_filter="h"/>
 <%!
 from django.utils.translation import ugettext as _
 %>
@@ -5,10 +6,10 @@
 <header>
   <div class="social-sharing">
     <div class="sharing-message">${_("Share with friends and family!")}</div>
-    <a href="http://twitter.com/intent/tweet?text=I+just+enrolled+in+${course.number}+${course.display_name_with_default_escaped}!+(http://class.stanford.edu)" class="share">
+    <a href="http://twitter.com/intent/tweet?text=I+just+enrolled+in+${course.number}+${course.display_name_with_default}!+(http://class.stanford.edu)" class="share">
       <span class="icon fa fa-twitter" aria-hidden="true"></span><span class="sr">${_("Tweet that you've enrolled in this course")}</span>
     </a>
-    <a href="mailto:?subject=Take%20a%20course%20at%20Stanford%20online!&body=I%20just%20enrolled%20in%20${course.number}%20${course.display_name_with_default_escaped}+(http://class.stanford.edu)" class="share">
+    <a href="mailto:?subject=Take%20a%20course%20at%20Stanford%20online!&body=I%20just%20enrolled%20in%20${course.number}%20${course.display_name_with_default}+(http://class.stanford.edu)" class="share">
       <span class="icon fa fa-envelope" aria-hidden="true"></span><span class="sr">${_("Email someone to say you've enrolled in this course")}</span>
     </a>
   </div>

From b2f5877d34ae2dd3e5feabe392ba24f3e397a92c Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Mon, 24 Aug 2020 10:53:00 -0500
Subject: [PATCH 2/8] backport of security patch from PR 24568 upstream

---
 .../views/video/transcripts/file_uploader.js  | 18 +++++++++--------
 cms/templates/edit-tabs.html                  |  2 +-
 cms/templates/manage_users_lib.html           |  4 +++-
 .../views/pay_and_verify_view.js              |  5 ++++-
 .../js/verify_student/views/reverify_view.js  |  5 ++++-
 lms/static/js/views/image_field.js            | 20 ++++++++++---------
 lms/static/js/views/notification.js           |  2 +-
 lms/templates/split_test_author_view.html     | 15 +++++++++-----
 8 files changed, 44 insertions(+), 27 deletions(-)

diff --git a/cms/static/js/views/video/transcripts/file_uploader.js b/cms/static/js/views/video/transcripts/file_uploader.js
index 2acd158c1cb..8edab306a58 100644
--- a/cms/static/js/views/video/transcripts/file_uploader.js
+++ b/cms/static/js/views/video/transcripts/file_uploader.js
@@ -1,9 +1,11 @@
 define(
     [
         'jquery', 'backbone', 'underscore',
-        'js/views/video/transcripts/utils'
+        'js/views/video/transcripts/utils',
+        'edx-ui-toolkit/js/utils/html-utils'
     ],
-function($, Backbone, _, TranscriptUtils) {
+function($, Backbone, _, TranscriptUtils, HtmlUtils) {
+    'use strict';
     var FileUploader = Backbone.View.extend({
         invisibleClass: 'is-invisible',
 
@@ -37,9 +39,8 @@ function($, Backbone, _, TranscriptUtils) {
 
                     return;
                 }
-                this.template = _.template(tpl);
-
-                tplContainer.html(this.template({
+                this.template = HtmlUtils.template(tpl);
+                HtmlUtils.setHtml(tplContainer, this.template({
                     ext: this.validFileExtensions,
                     component_locator: this.options.component_locator
                 }));
@@ -126,11 +127,12 @@ function($, Backbone, _, TranscriptUtils) {
         *
         */
         checkExtValidity: function(file) {
+            var fileExtension;
             if (!file.name) {
                 return void(0);
             }
 
-            var fileExtension = file.name
+            fileExtension = file.name
                                     .split('.')
                                     .pop()
                                     .toLowerCase();
@@ -153,7 +155,7 @@ function($, Backbone, _, TranscriptUtils) {
 
             this.$progress
                 .width(percentVal)
-                .html(percentVal)
+                .text(percentVal)
                 .removeClass(this.invisibleClass);
         },
 
@@ -177,7 +179,7 @@ function($, Backbone, _, TranscriptUtils) {
 
             this.$progress
                 .width(percentVal)
-                .html(percentVal);
+                .text(percentVal);
         },
 
         /**
diff --git a/cms/templates/edit-tabs.html b/cms/templates/edit-tabs.html
index 7ee868aaa52..c9e30c32239 100644
--- a/cms/templates/edit-tabs.html
+++ b/cms/templates/edit-tabs.html
@@ -21,7 +21,7 @@
 
 <%block name="page_bundle">
     <%static:webpack entry="js/factories/edit_tabs">
-        EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id})}");
+        EditTabsFactory("${context_course.location | n, js_escaped_string}", "${reverse('tabs_handler', kwargs={'course_key_string': context_course.id}) | n, js_escaped_string}");
     </%static:webpack>
 </%block>
 
diff --git a/cms/templates/manage_users_lib.html b/cms/templates/manage_users_lib.html
index 4d9e4e1aa2c..0800be9eb5d 100644
--- a/cms/templates/manage_users_lib.html
+++ b/cms/templates/manage_users_lib.html
@@ -1,3 +1,5 @@
+<%page expression_filter="h"/>
+
 <%inherit file="base.html" />
 <%!
 from django.utils.translation import ugettext as _
@@ -110,7 +112,7 @@ <h3 class="title-3">${_("Library Access Roles")}</h3>
 <%block name="requirejs">
   require(["js/factories/manage_users_lib"], function(ManageLibraryUsersFactory) {
       ManageLibraryUsersFactory(
-        "${context_library.display_name_with_default | h}",
+        "${context_library.display_name_with_default | n, js_escaped_string}",
         ${users | n, dump_js_escaped_json},
         "${reverse('course_team_handler', kwargs={'course_key_string': library_key, 'email': '@@EMAIL@@'}) | n, js_escaped_string}",
         ${request.user.id | n, dump_js_escaped_json},
diff --git a/lms/static/js/verify_student/views/pay_and_verify_view.js b/lms/static/js/verify_student/views/pay_and_verify_view.js
index 452b0cb7312..4dd4d4d16f2 100644
--- a/lms/static/js/verify_student/views/pay_and_verify_view.js
+++ b/lms/static/js/verify_student/views/pay_and_verify_view.js
@@ -126,7 +126,10 @@ var edx = edx || {};
             // Get or create the step container
             $stepEl = $('#current-step-container');
             if (!$stepEl.length) {
-                $stepEl = $('<div id="current-step-container"></div>').appendTo(this.el);
+                $stepEl = edx.HtmlUtils.append(
+                  $(this.el),
+                  edx.HtmlUtils.HTML('<div id="current-step-container"></div>').toString()
+                );
             }
 
             // Render the subview
diff --git a/lms/static/js/verify_student/views/reverify_view.js b/lms/static/js/verify_student/views/reverify_view.js
index 43257138b33..b61ca2f1b50 100644
--- a/lms/static/js/verify_student/views/reverify_view.js
+++ b/lms/static/js/verify_student/views/reverify_view.js
@@ -83,7 +83,10 @@
             // Get or create the step container
              $stepEl = $('#current-step-container');
              if (!$stepEl.length) {
-                 $stepEl = $('<div id="current-step-container"></div>').appendTo(this.el);
+                 $stepEl = edx.HtmlUtils.append(
+                   $(this.el),
+                   edx.HtmlUtils.HTML('<div id="current-step-container"></div>').toString()
+                 );
              }
 
             // Render the step subview
diff --git a/lms/static/js/views/image_field.js b/lms/static/js/views/image_field.js
index d5687596175..3a4b427c15d 100644
--- a/lms/static/js/views/image_field.js
+++ b/lms/static/js/views/image_field.js
@@ -1,15 +1,16 @@
 (function(define) {
     'use strict';
     define([
-        'gettext', 'jquery', 'underscore', 'backbone', 'js/views/fields',
+        'gettext', 'jquery', 'underscore', 'backbone',
+        'edx-ui-toolkit/js/utils/html-utils', 'js/views/fields',
         'text!templates/fields/field_image.underscore',
         'backbone-super', 'jquery.fileupload'
-    ], function(gettext, $, _, Backbone, FieldViews, field_image_template) {
+    ], function(gettext, $, _, Backbone, HtmlUtils, FieldViews, FieldImageTemplate) {
         var ImageFieldView = FieldViews.FieldView.extend({
 
             fieldType: 'image',
 
-            fieldTemplate: field_image_template,
+            fieldTemplate: FieldImageTemplate,
             uploadButtonSelector: '.upload-button-input',
 
             titleAdd: gettext('Upload an image'),
@@ -44,7 +45,7 @@
             },
 
             render: function() {
-                this.$el.html(this.template({
+                var attributes = {
                     id: this.options.valueAttribute,
                     inputName: (this.options.inputName || 'file'),
                     imageUrl: _.result(this, 'imageUrl'),
@@ -54,7 +55,8 @@
                     removeButtonIcon: _.result(this, 'iconRemove'),
                     removeButtonTitle: _.result(this, 'removeButtonTitle'),
                     screenReaderTitle: _.result(this, 'screenReaderTitle')
-                }));
+                };
+                this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString());
                 this.delegateEvents();
                 this.updateButtonsVisibility();
                 this.watchForPageUnload();
@@ -184,14 +186,14 @@
 
             showUploadInProgressMessage: function() {
                 this.$('.u-field-upload-button').addClass('in-progress');
-                this.$('.upload-button-icon').html(this.iconProgress);
-                this.$('.upload-button-title').html(this.titleUploading);
+                HtmlUtils.setHtml(this.$('.upload-button-icon'), HtmlUtils.HTML(this.iconProgress));
+                HtmlUtils.setHtml(this.$('.upload-button-title'), HtmlUtils.HTML(this.titleUploading));
             },
 
             showRemovalInProgressMessage: function() {
                 this.$('.u-field-remove-button').css('opacity', 1);
-                this.$('.remove-button-icon').html(this.iconProgress);
-                this.$('.remove-button-title').html(this.titleRemoving);
+                HtmlUtils.setHtml(this.$('.remove-button-icon'), HtmlUtils.HTML(this.iconProgress));
+                HtmlUtils.setHtml(this.$('.remove-button-title'), HtmlUtils.HTML(this.titleRemoving));
             },
 
             setCurrentStatus: function(status) {
diff --git a/lms/static/js/views/notification.js b/lms/static/js/views/notification.js
index a5cc328f179..1187e8478bb 100644
--- a/lms/static/js/views/notification.js
+++ b/lms/static/js/views/notification.js
@@ -9,7 +9,7 @@
         },
 
         render: function() {
-            this.$el.html(this.template({
+            this.$el.html(this.template({ // xss-lint: disable=javascript-jquery-html
                 type: this.model.get('type'),
                 title: this.model.get('title'),
                 message: this.model.get('message'),
diff --git a/lms/templates/split_test_author_view.html b/lms/templates/split_test_author_view.html
index ede487e199f..534777d0b16 100644
--- a/lms/templates/split_test_author_view.html
+++ b/lms/templates/split_test_author_view.html
@@ -1,4 +1,9 @@
-<%! from django.utils.translation import ugettext as _ %>
+<%page expression_filter="h"/>
+
+<%!
+    from django.utils.translation import ugettext as _
+    from openedx.core.djangolib.markup import HTML, Text
+%>
 
 <%
 split_test = context.get('split_test')
@@ -11,8 +16,8 @@
     <div class="xblock-message information">
         <p>
             <span class="message-text">
-                ${_("This content experiment uses group configuration '{group_configuration_name}'.").format(
-                    group_configuration_name="<a href='{}'>{}</a>".format(group_configuration_url, user_partition.name) if show_link else user_partition.name
+                ${Text(_("This content experiment uses group configuration '{group_configuration_name}'.")).format(
+                    group_configuration_name=Text(HTML("<a href='{}'>{}</a>")).format(group_configuration_url, user_partition.name) if show_link else user_partition.name
                 )}
             </span>
         </p>
@@ -23,13 +28,13 @@
 % if is_root:
     <div class="wrapper-groups is-active">
         <h3 class="sr">${_("Active Groups")}</h3>
-        ${active_groups_preview}
+        ${HTML(active_groups_preview)}
     </div>
 
     % if inactive_groups_preview:
         <div class="wrapper-groups is-inactive">
             <h3 class="title">${_("Inactive Groups")}</h3>
-            ${inactive_groups_preview}
+            ${HTML(inactive_groups_preview)}
         </div>
     % endif
 % endif

From 0e9d096178e6dbf10bd8b2e8e2cf455dec5aba33 Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Mon, 24 Aug 2020 11:02:19 -0500
Subject: [PATCH 3/8] backport of security patch from PR 24581 upstream

---
 lms/templates/student_account/register.underscore         | 2 +-
 .../verify_student/test/fake_softwaresecure_response.html | 4 ++--
 .../learner_profile/templates/badge_list.underscore       | 8 ++++----
 .../templates/badge_placeholder.underscore                | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lms/templates/student_account/register.underscore b/lms/templates/student_account/register.underscore
index 3a0e705f0ea..1bd10d9d8a6 100644
--- a/lms/templates/student_account/register.underscore
+++ b/lms/templates/student_account/register.underscore
@@ -51,7 +51,7 @@
         <span class="auto-register-message"><%- context.autoRegisterWelcomeMessage %></span>
     <% } %>
 
-    <%= context.fields %>
+    <%= context.fields /* xss-lint: disable=underscore-not-escaped */ %>
 
     <div class="form-field checkbox-optional_fields_toggle">
         <input type="checkbox" id="toggle_optional_fields" class="input-block checkbox"">
diff --git a/lms/templates/verify_student/test/fake_softwaresecure_response.html b/lms/templates/verify_student/test/fake_softwaresecure_response.html
index d32a9a0d400..0a15a241fc0 100644
--- a/lms/templates/verify_student/test/fake_softwaresecure_response.html
+++ b/lms/templates/verify_student/test/fake_softwaresecure_response.html
@@ -65,10 +65,10 @@
             data: JSON.stringify(data),
             contentType: "application/json;",
             success: function () {
-               $('#success-info').html('status updated.');
+               $('#success-info').text('status updated.');
             },
             error: function(jqXHR, textStatus, errorThrown) {
-                $('#errors-info').html(jqXHR.responseText);
+                $('#errors-info').text(jqXHR.responseText);
             }
         });
     }
diff --git a/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore b/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore
index 23e722f9bc5..80c2cc2ca72 100644
--- a/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore
+++ b/openedx/features/learner_profile/static/learner_profile/templates/badge_list.underscore
@@ -1,4 +1,4 @@
-<div class="sr-is-focusable sr-<%= type %>-view" tabindex="-1"></div>
-<div class="<%= type %>-paging-header"></div>
-<div class="<%= type %>-list cards-list"></div>
-<div class="<%= type %>-paging-footer"></div>
+<div class="sr-is-focusable sr-<%- type %>-view" tabindex="-1"></div>
+<div class="<%- type %>-paging-header"></div>
+<div class="<%- type %>-list cards-list"></div>
+<div class="<%- type %>-paging-footer"></div>
diff --git a/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore b/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore
index fc24899d97b..b7eb9976e8e 100644
--- a/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore
+++ b/openedx/features/learner_profile/static/learner_profile/templates/badge_placeholder.underscore
@@ -5,6 +5,6 @@
   <div class="badge-details">
     <div class="badge-name"><%- gettext("What's Your Next Accomplishment?") %></div>
     <p class="badge-description"><%- gettext('Start working toward your next learning goal.') %></p>
-    <a class="find-course" href="<%= find_courses_url %>"><span class="find-button-container"><%- gettext('Find a course') %></span></a>
+    <a class="find-course" href="<%- find_courses_url %>"><span class="find-button-container"><%- gettext('Find a course') %></span></a>
   </div>
 </div>

From e690f0fe278ff4e31f54b3c568c43ae8a64d2b4c Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Mon, 24 Aug 2020 11:16:48 -0500
Subject: [PATCH 4/8] backport of security patch from PR 24725 upstream

---
 cms/templates/admin/base_site.html                 |  6 +++---
 .../static/support/js/views/enrollment_modal.js    |  1 +
 .../static/support/templates/enrollment.underscore |  4 ++--
 .../teams/static/teams/templates/date.underscore   |  2 +-
 .../teams/templates/edit-team-member.underscore    | 14 +++++++-------
 lms/static/js/views/file_uploader.js               |  1 +
 .../api_admin/api_access_request_form.html         |  1 +
 .../lms/templates/static_templates/tos.html        |  2 ++
 8 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/cms/templates/admin/base_site.html b/cms/templates/admin/base_site.html
index d050919de33..953b42d2bf0 100644
--- a/cms/templates/admin/base_site.html
+++ b/cms/templates/admin/base_site.html
@@ -7,13 +7,13 @@ <h1 id="site-name"><a href="{% url 'admin:index' %}">{{ site_header|default:_('D
 {% block nav-global %}{% endblock %}
 {% block userlinks %}
     {% if site_url %}
-        <a href="{{ site_url }}">{% trans 'View site' %}</a> /
+        <a href="{{ site_url }}">{% trans 'View site' as tmsg%} {{tmsg|force_escape}}</a> /
     {% endif %}
     {% if user.is_active and user.is_staff %}
         {% url 'django-admindocs-docroot' as docsroot %}
         {% if docsroot %}
-            <a href="{{ docsroot }}">{% trans 'Documentation' %}</a> /
+            <a href="{{ docsroot }}">{% trans 'Documentation' as tmsg %} {{tmsg|force_escape}}</a> /
         {% endif %}
     {% endif %}
-    <a href="{% url 'admin:logout' %}">{% trans 'Log out' %}</a>
+    <a href="{% url 'admin:logout' %}">{% trans 'Log out' as tmsg %} {{tmsg|force_escape}}</a>
 {% endblock %}
diff --git a/lms/djangoapps/support/static/support/js/views/enrollment_modal.js b/lms/djangoapps/support/static/support/js/views/enrollment_modal.js
index 40a264cbf2a..1cfb47c2aaa 100644
--- a/lms/djangoapps/support/static/support/js/views/enrollment_modal.js
+++ b/lms/djangoapps/support/static/support/js/views/enrollment_modal.js
@@ -21,6 +21,7 @@
             },
 
             render: function() {
+                // xss-lint: disable=javascript-jquery-html
                 this.$el.html(_.template(this.template)({
                     enrollment: this.enrollment,
                     modes: this.modes,
diff --git a/lms/djangoapps/support/static/support/templates/enrollment.underscore b/lms/djangoapps/support/static/support/templates/enrollment.underscore
index 1c3b4db1c1a..a5abf289d0c 100644
--- a/lms/djangoapps/support/static/support/templates/enrollment.underscore
+++ b/lms/djangoapps/support/static/support/templates/enrollment.underscore
@@ -48,8 +48,8 @@
         <td>
           <button
               class="change-enrollment-btn"
-              data-modes="<%= _.pluck(enrollment.get('course_modes'), 'slug')%>"
-              data-course_id="<%= enrollment.get('course_id') %>"
+              data-modes="<%- _.pluck(enrollment.get('course_modes'), 'slug')%>"
+              data-course_id="<%- enrollment.get('course_id') %>"
           >
             <%- gettext('Change Enrollment') %>
           </button>
diff --git a/lms/djangoapps/teams/static/teams/templates/date.underscore b/lms/djangoapps/teams/static/teams/templates/date.underscore
index dcf5083f627..12ef50cdc4c 100644
--- a/lms/djangoapps/teams/static/teams/templates/date.underscore
+++ b/lms/djangoapps/teams/static/teams/templates/date.underscore
@@ -1 +1 @@
-<abbr title="<%= date %>"></abbr>
+<abbr title="<%- date %>"></abbr>
diff --git a/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore b/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore
index d98af57c0d7..b8bc9839c13 100644
--- a/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore
+++ b/lms/djangoapps/teams/static/teams/templates/edit-team-member.underscore
@@ -1,16 +1,16 @@
 <li class="team-member">
-    <a class="member-profile" href="<%= memberProfileUrl %>">
-        <img class="image-url" src="<%= imageUrl %>" alt="<%= username %>'s profile page" />
+    <a class="member-profile" href="<%= memberProfileUrl /* xss-lint: disable=underscore-not-escaped */%>">
+        <img class="image-url" src="<%= imageUrl /* xss-lint: disable=underscore-not-escaped */%>" alt="<%= username /* xss-lint: disable=underscore-not-escaped */%>'s profile page" />
     </a>
     <div class="member-info-container">
-    	<span class="primary"><%= username %></span>
+    	<span class="primary"><%= username /* xss-lint: disable=underscore-not-escaped */%></span>
     	<div class="secondary">
-    		<span id="date-joined"><%= dateJoined %></span>
+    		<span id="date-joined"><%= dateJoined /* xss-lint: disable=underscore-not-escaped */%></span>
     		<span> | </span>
-    		<span id="last-active"><%= lastActive %></span>
+    		<span id="last-active"><%= lastActive /* xss-lint: disable=underscore-not-escaped */%></span>
     	</div>
     </div>
-    <button class="action-remove-member" data-username="<%= username %>">
-        <%- gettext("Remove") %><span class="sr">&nbsp;<%= username %></span>
+    <button class="action-remove-member" data-username="<%= username /* xss-lint: disable=underscore-not-escaped */%>">
+        <%- gettext("Remove") %><span class="sr">&nbsp;<%= username /* xss-lint: disable=underscore-not-escaped */%></span>
     </button>
 </li>
diff --git a/lms/static/js/views/file_uploader.js b/lms/static/js/views/file_uploader.js
index d897852f954..343034f104b 100644
--- a/lms/static/js/views/file_uploader.js
+++ b/lms/static/js/views/file_uploader.js
@@ -39,6 +39,7 @@
                 },
                 submitButton, resultNotification;
 
+            // xss-lint: disable=javascript-jquery-html
             this.$el.html(this.template({
                 title: get_option_with_default('title', ''),
                 inputLabel: get_option_with_default('inputLabel', ''),
diff --git a/lms/templates/api_admin/api_access_request_form.html b/lms/templates/api_admin/api_access_request_form.html
index 27e6201de61..7fac7d70a82 100644
--- a/lms/templates/api_admin/api_access_request_form.html
+++ b/lms/templates/api_admin/api_access_request_form.html
@@ -17,6 +17,7 @@ <h1 id="api-header">
       <form action="" method="post" class="api-form">
         <input type="hidden" id="csrf_token" name="csrfmiddlewaretoken" value="${csrf_token}">
         ${form.as_p() | n}
+        ${form.as_p() | n, decode.utf8}
         <input id="api-access-submit" type="submit" value="${_('Request API Access')}"/>
       </form>
     </div>
diff --git a/themes/stanford-style/lms/templates/static_templates/tos.html b/themes/stanford-style/lms/templates/static_templates/tos.html
index ad65e30bce0..574b08d44b2 100644
--- a/themes/stanford-style/lms/templates/static_templates/tos.html
+++ b/themes/stanford-style/lms/templates/static_templates/tos.html
@@ -1,4 +1,5 @@
 ## mako
+<%page expression_filter="h"/>
 <%!
   from django.utils.translation import ugettext as _
 %>
@@ -27,6 +28,7 @@ <h2 id="copyright">${_('Copyright')}</h2>
 <script>
     $(document).ready(function() {
         var print_tos = '<input type="button" value="Print Terms of Service" class="print">';
+        // xss-lint: disable=javascript-jquery-prepend, javascript-jquery-append
         $('#content section.tos').prepend(print_tos).append(print_tos);
         $('#content section.tos input.print').click(function() {
             window.print();

From 4c5e0213483a38f27dda6ad4d13f922c8912e16f Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Mon, 24 Aug 2020 11:18:02 -0500
Subject: [PATCH 5/8] backport of security patch from PR 24762 upstream

---
 cms/static/js/views/components/add_xblock.js  | 12 ++++--
 .../js/views/components/add_xblock_button.js  | 17 ++++----
 cms/static/js/views/course_rerun.js           | 25 +++++++-----
 cms/static/js/views/instructor_info.js        | 11 ++++--
 cms/static/js/views/list_item_editor.js       | 11 ++++--
 cms/static/js/views/metadata.js               | 39 ++++++++++++-------
 .../js/views/video/translations_editor.js     | 13 ++++---
 cms/static/js/views/xblock_validation.js      | 10 +++--
 8 files changed, 84 insertions(+), 54 deletions(-)

diff --git a/cms/static/js/views/components/add_xblock.js b/cms/static/js/views/components/add_xblock.js
index 8da194ce49f..1479c075631 100644
--- a/cms/static/js/views/components/add_xblock.js
+++ b/cms/static/js/views/components/add_xblock.js
@@ -2,8 +2,10 @@
  * This is a simple component that renders add buttons for all available XBlock template types.
  */
 define(['jquery', 'underscore', 'gettext', 'js/views/baseview', 'common/js/components/utils/view_utils',
-    'js/views/components/add_xblock_button', 'js/views/components/add_xblock_menu'],
-    function($, _, gettext, BaseView, ViewUtils, AddXBlockButton, AddXBlockMenu) {
+    'js/views/components/add_xblock_button', 'js/views/components/add_xblock_menu',
+    'edx-ui-toolkit/js/utils/html-utils'],
+    function($, _, gettext, BaseView, ViewUtils, AddXBlockButton, AddXBlockMenu, HtmlUtils) {
+        'use strict';
         var AddXBlockComponent = BaseView.extend({
             events: {
                 'click .new-component .new-component-type .multiple-templates': 'showComponentTemplates',
@@ -19,9 +21,10 @@ define(['jquery', 'underscore', 'gettext', 'js/views/baseview', 'common/js/compo
             },
 
             render: function() {
+                var that;
                 if (!this.$el.html()) {
-                    var that = this;
-                    this.$el.html(this.template({}));
+                    that = this;
+                    this.$el.html(HtmlUtils.HTML(this.template({})).toString());
                     this.collection.each(
                         function(componentModel) {
                             var view, menu;
@@ -47,6 +50,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/baseview', 'common/js/compo
             },
 
             closeNewComponent: function(event) {
+                var type;
                 event.preventDefault();
                 event.stopPropagation();
                 type = $(event.currentTarget).data('type');
diff --git a/cms/static/js/views/components/add_xblock_button.js b/cms/static/js/views/components/add_xblock_button.js
index aba7bd91b9d..e0c4cc522d2 100644
--- a/cms/static/js/views/components/add_xblock_button.js
+++ b/cms/static/js/views/components/add_xblock_button.js
@@ -1,16 +1,17 @@
-define(['js/views/baseview'],
-    function(BaseView) {
+define(['js/views/baseview', 'edx-ui-toolkit/js/utils/html-utils'],
+    function(BaseView, HtmlUtils) {
+        'use strict';
         return BaseView.extend({
             tagName: 'li',
             initialize: function() {
+                var attributes = {
+                    type: this.model.type,
+                    templates: this.model.templates,
+                    display_name: this.model.display_name
+                };
                 BaseView.prototype.initialize.call(this);
                 this.template = this.loadTemplate('add-xblock-component-button');
-                this.$el.html(
-                    this.template({
-                        type: this.model.type,
-                        templates: this.model.templates,
-                        display_name: this.model.display_name
-                    })
+                this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString()
                 );
             }
         });
diff --git a/cms/static/js/views/course_rerun.js b/cms/static/js/views/course_rerun.js
index ad904493523..f311ae10374 100644
--- a/cms/static/js/views/course_rerun.js
+++ b/cms/static/js/views/course_rerun.js
@@ -1,5 +1,7 @@
-define(['domReady', 'jquery', 'underscore', 'js/views/utils/create_course_utils', 'common/js/components/utils/view_utils'],
-    function(domReady, $, _, CreateCourseUtilsFactory, ViewUtils) {
+define(['domReady', 'jquery', 'underscore', 'js/views/utils/create_course_utils',
+    'common/js/components/utils/view_utils', 'edx-ui-toolkit/js/utils/html-utils'],
+    function(domReady, $, _, CreateCourseUtilsFactory, ViewUtils, HtmlUtils) {
+        'use strict';
         var CreateCourseUtils = new CreateCourseUtilsFactory({
             name: '.rerun-course-name',
             org: '.rerun-course-org',
@@ -20,6 +22,7 @@ define(['domReady', 'jquery', 'underscore', 'js/views/utils/create_course_utils'
         });
 
         var saveRerunCourse = function(e) {
+            var courseInfo;
             e.preventDefault();
 
             if (CreateCourseUtils.hasInvalidRequiredFields()) {
@@ -32,7 +35,7 @@ define(['domReady', 'jquery', 'underscore', 'js/views/utils/create_course_utils'
             var number = $newCourseForm.find('.rerun-course-number').val();
             var run = $newCourseForm.find('.rerun-course-run').val();
 
-            course_info = {
+            courseInfo = {
                 source_course_key: source_course_key,
                 org: org,
                 number: number,
@@ -40,18 +43,20 @@ define(['domReady', 'jquery', 'underscore', 'js/views/utils/create_course_utils'
                 run: run
             };
 
-            analytics.track('Reran a Course', course_info);
-            CreateCourseUtils.create(course_info, function(errorMessage) {
+            analytics.track('Reran a Course', courseInfo); // eslint-disable-line no-undef
+            CreateCourseUtils.create(courseInfo, function(errorMessage) {
                 $('.wrapper-error').addClass('is-shown').removeClass('is-hidden');
-                $('#course_rerun_error').html('<p>' + errorMessage + '</p>');
-                $('.rerun-course-save').addClass('is-disabled').attr('aria-disabled', true).removeClass('is-processing').html(gettext('Create Re-run'));
+                $('#course_rerun_error').html(HtmlUtils.joinHtml(HtmlUtils.HTML('<p>'), errorMessage, HtmlUtils.HTML('</p>')).toString()); // eslint-disable-line max-len
+                $('.rerun-course-save').addClass('is-disabled').attr('aria-disabled', true)
+                .removeClass('is-processing')
+                .text(gettext('Create Re-run'));
                 $('.action-cancel').removeClass('is-hidden');
             });
 
             // Go into creating re-run state
-            $('.rerun-course-save').addClass('is-disabled').attr('aria-disabled', true).addClass('is-processing').html(
-               '<span class="icon fa fa-refresh fa-spin" aria-hidden="true"></span>' + gettext('Processing Re-run Request')  // eslint-disable-line max-len
-            );
+            $('.rerun-course-save').addClass('is-disabled').attr('aria-disabled', true)
+            .addClass('is-processing')
+            .html(HtmlUtils.joinHtml(HtmlUtils.HTML('<span class="icon fa fa-refresh fa-spin" aria-hidden="true"></span>'), gettext('Processing Re-run Request')).toString()); // eslint-disable-line max-len
             $('.action-cancel').addClass('is-hidden');
         };
 
diff --git a/cms/static/js/views/instructor_info.js b/cms/static/js/views/instructor_info.js
index 2c13b029bb3..8942569c273 100644
--- a/cms/static/js/views/instructor_info.js
+++ b/cms/static/js/views/instructor_info.js
@@ -7,9 +7,10 @@ define([
     'gettext',
     'js/utils/templates',
     'js/models/uploads',
-    'js/views/uploads'
+    'js/views/uploads',
+    'edx-ui-toolkit/js/utils/html-utils'
 ],
-    function($, _, Backbone, gettext, TemplateUtils, FileUploadModel, FileUploadDialog) {
+    function($, _, Backbone, gettext, TemplateUtils, FileUploadModel, FileUploadDialog, HtmlUtils) {
         'use strict';
         var InstructorInfoView = Backbone.View.extend({
 
@@ -31,14 +32,16 @@ define([
             },
 
             render: function() {
+                var attributes;
                 // Assemble the render view for this model.
                 $('.course-instructor-details-fields').empty();
                 var self = this;
                 $.each(this.model.get('instructor_info').instructors, function(index, data) {
-                    $(self.el).append(self.template({
+                    attributes = {
                         data: data,
                         index: index
-                    }));
+                    };
+                    $(self.el).append(HtmlUtils.HTML(self.template(attributes)).toString());
                 });
 
                 // Avoid showing broken image on mistyped/nonexistent image
diff --git a/cms/static/js/views/list_item_editor.js b/cms/static/js/views/list_item_editor.js
index 4fae99dcf9a..33321177895 100644
--- a/cms/static/js/views/list_item_editor.js
+++ b/cms/static/js/views/list_item_editor.js
@@ -10,8 +10,9 @@
  *   saved by this view.  Note this may be a parent model.
  */
 define([
-    'js/views/baseview', 'common/js/components/utils/view_utils', 'underscore', 'gettext'
-], function(BaseView, ViewUtils, _, gettext) {
+    'js/views/baseview', 'common/js/components/utils/view_utils', 'underscore', 'gettext',
+    'edx-ui-toolkit/js/utils/html-utils'
+], function(BaseView, ViewUtils, _, gettext, HtmlUtils) {
     'use strict';
 
     var ListItemEditorView = BaseView.extend({
@@ -21,9 +22,11 @@ define([
         },
 
         render: function() {
-            this.$el.html(this.template(_.extend({
+            var template = this.template(_.extend({
                 error: this.model.validationError || this.getSaveableModel().validationError
-            }, this.getTemplateOptions())));
+            }, this.getTemplateOptions())
+            );
+            this.$el.html(HtmlUtils.HTML(template).toString());
         },
 
         setAndClose: function(event) {
diff --git a/cms/static/js/views/metadata.js b/cms/static/js/views/metadata.js
index dd28c066a7e..6bf30b3781f 100644
--- a/cms/static/js/views/metadata.js
+++ b/cms/static/js/views/metadata.js
@@ -6,10 +6,11 @@ define(
         'js/models/license', 'js/views/license',
         'js/views/video/transcripts/utils',
         'js/views/video/transcripts/metadata_videolist',
-        'js/views/video/translations_editor'
+        'js/views/video/translations_editor',
+        'edx-ui-toolkit/js/utils/html-utils'
     ],
 function(Backbone, BaseView, _, MetadataModel, AbstractEditor, FileUpload, UploadDialog,
-         LicenseModel, LicenseView, TranscriptUtils, VideoList, VideoTranslations) {
+         LicenseModel, LicenseView, TranscriptUtils, VideoList, VideoTranslations, HtmlUtils) {
     'use strict';
     var Metadata = {};
 
@@ -22,10 +23,11 @@ function(Backbone, BaseView, _, MetadataModel, AbstractEditor, FileUpload, Uploa
             var self = this,
                 counter = 0,
                 locator = self.$el.closest('[data-locator]').data('locator'),
-                courseKey = self.$el.closest('[data-course-key]').data('course-key');
+                courseKey = self.$el.closest('[data-course-key]').data('course-key'),
+                attributes = {numEntries: this.collection.length, locator: locator};
 
             this.template = this.loadTemplate('metadata-editor');
-            this.$el.html(this.template({numEntries: this.collection.length, locator: locator}));
+            this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString());
 
             this.collection.each(
                 function(model) {
@@ -323,12 +325,16 @@ function(Backbone, BaseView, _, MetadataModel, AbstractEditor, FileUpload, Uploa
             list.empty();
             _.each(value, function(ele, index) {
                 var template = _.template(
-                    '<li class="list-settings-item">' +
-                        '<input type="text" class="input" value="<%- ele %>">' +
-                        '<a href="#" class="remove-action remove-setting" data-index="<%- index %>"><span class="icon fa fa-times-circle" aria-hidden="true"></span><span class="sr">' + gettext('Remove') + '</span></a>' +   // eslint-disable-line max-len
-                    '</li>'
+                    HtmlUtils.joinHtml(
+                        HtmlUtils.HTML('<li class="list-settings-item">'),
+                        HtmlUtils.HTML('<input type="text" class="input" value="<%- ele %>">'),
+                        HtmlUtils.HTML('<a href="#" class="remove-action remove-setting" data-index="<%- index %>"><span class="icon fa fa-times-circle" aria-hidden="true"></span><span class="sr">'), // eslint-disable-line max-len
+                        gettext('Remove'),
+                        HtmlUtils.HTML('</span></a>'),
+                        HtmlUtils.HTML('</li>')
+                    ).toString()
                 );
-                list.append($(template({ele: ele, index: index})));
+                list.append(HtmlUtils.HTML($(template({ele: ele, index: index}))).toString());
             });
         },
 
@@ -489,16 +495,19 @@ function(Backbone, BaseView, _, MetadataModel, AbstractEditor, FileUpload, Uploa
 
             _.each(value, function(value, key) {
                 var template = _.template(
-                    '<li class="list-settings-item">' +
-                        '<input type="text" class="input input-key" value="<%= key %>">' +
-                        '<input type="text" class="input input-value" value="<%= value %>">' +
-                        '<a href="#" class="remove-action remove-setting" data-value="<%= value %>"><span class="icon fa fa-times-circle" aria-hidden="true"></span><span class="sr">Remove</span></a>' +  // eslint-disable-line max-len
-                    '</li>'
+                    HtmlUtils.joinHtml(
+                        HtmlUtils.HTML('<li class="list-settings-item">'),
+                        HtmlUtils.HTML('<input type="text" class="input input-key" value="<%- key %>">'),
+                        HtmlUtils.HTML('<input type="text" class="input input-value" value="<%- value %>">'),
+                        HtmlUtils.HTML('<a href="#" class="remove-action remove-setting" data-value="<%- value %>"><span class="icon fa fa-times-circle" aria-hidden="true"></span><span class="sr">Remove</span></a>'), // eslint-disable-line max-len
+                        HtmlUtils.HTML('</li>')
+                    ).toString()
                 );
 
                 frag.appendChild($(template({key: key, value: value}))[0]);
             });
 
+            // xss-lint: disable=javascript-jquery-html
             list.html([frag]);
         },
 
@@ -564,7 +573,7 @@ function(Backbone, BaseView, _, MetadataModel, AbstractEditor, FileUpload, Uploa
             });
 
             this.$('#' + this.uniqueId).val(value);
-            this.$('.wrapper-uploader-actions').html(html);
+            this.$('.wrapper-uploader-actions').html(HtmlUtils.HTML((html)).toString());
         },
 
         upload: function(event) {
diff --git a/cms/static/js/views/video/translations_editor.js b/cms/static/js/views/video/translations_editor.js
index 9c82afa1802..9570cd3ad90 100644
--- a/cms/static/js/views/video/translations_editor.js
+++ b/cms/static/js/views/video/translations_editor.js
@@ -127,17 +127,20 @@ function($, _, HtmlUtils, TranscriptUtils, AbstractEditor, ViewUtils, FileUpload
                 languageMap = TranscriptUtils.Storage.get('languageMap');
 
             _.each(values, function(value, newLang) {
-                var html = $(self.templateItem({
+                var $html = $(self.templateItem({
                     newLang: newLang,
                     originalLang: _.findKey(languageMap, function(lang) { return lang === newLang; }) || '',
                     value: value,
                     url: self.model.get('urlRoot')
-                })).prepend(dropdown.clone().val(newLang))[0];
-
-                frag.appendChild(html);
+                }));
+                HtmlUtils.append($html, dropdown.clone().val(newLang));
+                frag.appendChild($html[0]);
             });
 
-            this.$el.find('ol').html([frag]);
+            HtmlUtils.setHtml(
+                this.$el.find('ol'),
+                HtmlUtils.HTML([frag])
+            );
         },
 
         addEntry: function(event) {
diff --git a/cms/static/js/views/xblock_validation.js b/cms/static/js/views/xblock_validation.js
index e675b3e80fc..437d7ecc055 100644
--- a/cms/static/js/views/xblock_validation.js
+++ b/cms/static/js/views/xblock_validation.js
@@ -1,5 +1,6 @@
-define(['jquery', 'underscore', 'js/views/baseview', 'gettext'],
-    function($, _, BaseView, gettext) {
+define(['jquery', 'underscore', 'js/views/baseview', 'gettext', 'edx-ui-toolkit/js/utils/html-utils'],
+    function($, _, BaseView, gettext, HtmlUtils) {
+        'use strict';
         /**
          * View for xblock validation messages as displayed in Studio.
          */
@@ -13,12 +14,13 @@ define(['jquery', 'underscore', 'js/views/baseview', 'gettext'],
             },
 
             render: function() {
-                this.$el.html(this.template({
+                var attributes = {
                     validation: this.model,
                     additionalClasses: this.getAdditionalClasses(),
                     getIcon: this.getIcon.bind(this),
                     getDisplayName: this.getDisplayName.bind(this)
-                }));
+                };
+                this.$el.html(HtmlUtils.HTML(this.template(attributes)).toString());
                 return this;
             },
 

From 56133592d9ee4aa304d2c6b889a1e4eac255fc66 Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Thu, 27 Aug 2020 17:15:24 -0500
Subject: [PATCH 6/8] New patch to prevent xss vulnerabilities in templates

---
 .../js/course_info_handouts.underscore        | 12 +++----
 cms/templates/js/grading-editor.underscore    |  8 ++---
 .../js/metadata-string-entry.underscore       | 10 +++---
 cms/templates/js/section-name-edit.underscore |  6 ++--
 cms/templates/js/signatory-actions.underscore |  4 +--
 cms/templates/js/team-member.underscore       | 30 ++++++++--------
 .../messages/transcripts-import.underscore    | 14 ++++----
 .../messages/transcripts-not-found.underscore | 14 ++++----
 .../messages/transcripts-replace.underscore   | 14 ++++----
 .../messages/transcripts-uploaded.underscore  | 14 ++++----
 .../transcripts-use-existing.underscore       | 18 +++++-----
 cms/templates/js/xblock-outline.underscore    | 36 +++++++++----------
 12 files changed, 90 insertions(+), 90 deletions(-)

diff --git a/cms/templates/js/course_info_handouts.underscore b/cms/templates/js/course_info_handouts.underscore
index 16d48118dac..dfa78587ddc 100644
--- a/cms/templates/js/course_info_handouts.underscore
+++ b/cms/templates/js/course_info_handouts.underscore
@@ -1,22 +1,22 @@
-<a href="#" class="edit-button"><span class="edit-icon"></span><%= gettext("Edit") %></a>
+<a href="#" class="edit-button"><span class="edit-icon"></span><%- gettext("Edit") %></a>
 
-<h2 class="title"><%= gettext("Course Handouts") %></h2>
+<h2 class="title"><%- gettext("Course Handouts") %></h2>
 <%if (model.get('data') != null) { %>
   <div class="handouts-content">
 
   </div>
 <% } else {%>
-  <p><%= gettext("You have no handouts defined") %></p>
+  <p><%- gettext("You have no handouts defined") %></p>
 <% } %>
 <form class="edit-handouts-form" style="display: block;">
   <div class="message message-status error" name="handout_html_error" id="handout_error">
-    <%= gettext("There is invalid code in your content. Please check to make sure it is valid HTML.") %>
+    <%- gettext("There is invalid code in your content. Please check to make sure it is valid HTML.") %>
   </div>
   <div class="row">
     <textarea class="handouts-content-editor text-editor"></textarea>
   </div>
   <div class="row">
-    <a href="#" class="save-button"><%= gettext("Save") %></a>
-    <a href="#" class="cancel-button"><%= gettext("Cancel") %></a>
+    <a href="#" class="save-button"><%- gettext("Save") %></a>
+    <a href="#" class="cancel-button"><%- gettext("Cancel") %></a>
   </div>
 </form>
diff --git a/cms/templates/js/grading-editor.underscore b/cms/templates/js/grading-editor.underscore
index 7db05aa5ff4..243de603616 100644
--- a/cms/templates/js/grading-editor.underscore
+++ b/cms/templates/js/grading-editor.underscore
@@ -1,12 +1,12 @@
-<h3 class="modal-section-title"><%= gettext('Grading') %></h3>
+<h3 class="modal-section-title"><%- gettext('Grading') %></h3>
 <div class="modal-section-content grading-type">
     <ul class="list-fields list-input">
         <li class="field field-grading-type field-select">
-            <label for="grading_type" class="label"><%= gettext('Grade as:') %></label>
+            <label for="grading_type" class="label"><%- gettext('Grade as:') %></label>
             <select class="input" id="grading_type">
-                <option value="notgraded"><%= gettext('Not Graded') %></option>
+                <option value="notgraded"><%- gettext('Not Graded') %></option>
                 <% _.each(graderTypes, function(grader) { %>
-                  <option value="<%= grader %>"><%= grader %></option>
+                  <option value="<%- grader %>"><%- grader %></option>
                 <% }); %>
             </select>
         </li>
diff --git a/cms/templates/js/metadata-string-entry.underscore b/cms/templates/js/metadata-string-entry.underscore
index 538528afc2b..d2946818b23 100644
--- a/cms/templates/js/metadata-string-entry.underscore
+++ b/cms/templates/js/metadata-string-entry.underscore
@@ -1,8 +1,8 @@
 <div class="wrapper-comp-setting">
-	<label class="label setting-label" for="<%= uniqueId %>"><%= model.get('display_name') %></label>
-	<input class="input setting-input" type="text" id="<%= uniqueId %>" value='<%= model.get("value") %>'/>
-	<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%= gettext("Clear") %>" data-tooltip="<%= gettext("Clear") %>">
-        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%= gettext("Clear Value") %>"</span>
+	<label class="label setting-label" for="<%- uniqueId %>"><%- model.get('display_name') %></label>
+	<input class="input setting-input" type="text" id="<%- uniqueId %>" value='<%- model.get("value") %>'/>
+	<button class="action setting-clear inactive" type="button" name="setting-clear" value="<%- gettext("Clear") %>" data-tooltip="<%- gettext("Clear") %>">
+        <span class="icon fa fa-undo" aria-hidden="true"></span><span class="sr">"<%- gettext("Clear Value") %>"</span>
     </button>
 </div>
-<span class="tip setting-help"><%= model.get('help') %></span>
+<span class="tip setting-help"><%- model.get('help') %></span>
diff --git a/cms/templates/js/section-name-edit.underscore b/cms/templates/js/section-name-edit.underscore
index cfbd64fffea..97034f1e557 100644
--- a/cms/templates/js/section-name-edit.underscore
+++ b/cms/templates/js/section-name-edit.underscore
@@ -1,5 +1,5 @@
 <form class="section-name-edit">
-    <input type="text" value="<%= name %>" autocomplete="off"/>
-    <input type="submit" class="save-button" value="<%= gettext("Save") %>" />
-    <input type="button" class="cancel-button" value="<%= gettext("Cancel") %>" />
+    <input type="text" value="<%- name %>" autocomplete="off"/>
+    <input type="submit" class="save-button" value="<%- gettext("Save") %>" />
+    <input type="button" class="cancel-button" value="<%- gettext("Cancel") %>" />
 </form>
diff --git a/cms/templates/js/signatory-actions.underscore b/cms/templates/js/signatory-actions.underscore
index e0c4ab60c58..08c65d0ce10 100644
--- a/cms/templates/js/signatory-actions.underscore
+++ b/cms/templates/js/signatory-actions.underscore
@@ -1,6 +1,6 @@
 <div class="collection-edit">
     <div class="actions custom-signatory-action">
-            <button class="signatory-panel-save action action-primary" type="submit"><%= gettext("Save") %></button>
-            <button class="signatory-panel-close action action-secondary action-cancel"><%= gettext("Cancel") %></button>
+            <button class="signatory-panel-save action action-primary" type="submit"><%- gettext("Save") %></button>
+            <button class="signatory-panel-close action action-secondary action-cancel"><%- gettext("Cancel") %></button>
     </div>
 </div>
diff --git a/cms/templates/js/team-member.underscore b/cms/templates/js/team-member.underscore
index afd20271b8b..ec9fb356cff 100644
--- a/cms/templates/js/team-member.underscore
+++ b/cms/templates/js/team-member.underscore
@@ -1,11 +1,11 @@
-<li class="user-item" data-email="<%= user.email %>">
+<li class="user-item" data-email="<%- user.email %>">
     <span class="wrapper-ui-badge">
-    <span class="flag flag-role flag-role-<%= user.role %> is-hanging">
-      <span class="label sr"><%= gettext("Current Role:") %></span>
+    <span class="flag flag-role flag-role-<%- user.role %> is-hanging">
+      <span class="label sr"><%- gettext("Current Role:") %></span>
       <span class="value">
-        <%= roles[user.role] %>
+        <%- roles[user.role] %>
         <% if (is_current_user) { %>
-            <span class="msg-you"><%= gettext("You!") %></span>
+            <span class="msg-you"><%- gettext("You!") %></span>
         <% } %>
       </span>
     </span>
@@ -13,11 +13,11 @@
 
     <div class="item-metadata">
     <h3 class="user-name">
-      <span class="user-username"><%= user.username %></span>
+      <span class="user-username"><%- user.username %></span>
       <span class="user-email">
-        <a class="action action-email" href="mailto:<%= user.email %>"
-                title="<%= viewHelpers.format(gettext("send an email message to {email}"), {email: user.email})%>">
-            <%= user.email %>
+        <a class="action action-email" href="mailto:<%- user.email %>"
+                title="<%- viewHelpers.format(gettext("send an email message to {email}"), {email: user.email})%>">
+            <%- user.email %>
         </a>
       </span>
     </h3>
@@ -29,19 +29,19 @@
         <% for (var i=0; i < actions.length; i++) { %>
             <% var action = actions[i]; %>
                 <% if (action.notoggle) { %>
-                    <span class="admin-role notoggleforyou"><%= gettext("Promote another member to Admin to remove your admin rights") %></span>
+                    <span class="admin-role notoggleforyou"><%- gettext("Promote another member to Admin to remove your admin rights") %></span>
                 <% } else { %>
-                    <a href="#" class="make-<%= action.to_role %> admin-role <%= action.direction %>-admin-role">
+                    <a href="#" class="make-<%- action.to_role %> admin-role <%- action.direction %>-admin-role">
                         <% var template = (action.direction === 'add') ? gettext("Add {role} Access") : gettext("Remove {role} Access"); %>
-                        <%= viewHelpers.format(template, {role: action.label}) %></span>
+                        <%- viewHelpers.format(template, {role: action.label}) %></span>
                     </a>
                 <% } %>
         <% } %>
         </li>
-        <li class="action action-delete <%=!allow_delete ? "is-disabled" : "" %> aria-disabled="<%=!allow_delete%>">
-            <a href="#" class="delete remove-user action-icon" data-id="<%= user.email %>">
+        <li class="action action-delete <%-!allow_delete ? "is-disabled" : "" %> aria-disabled="<%-!allow_delete%>">
+            <a href="#" class="delete remove-user action-icon" data-id="<%- user.email %>">
                 <span class="icon fa fa-trash-o" aria-hidden="true"></span>
-                <span class="sr"><%= viewHelpers.format(gettext("Delete the user, {username}"), {username:user.username}) %></span>
+                <span class="sr"><%- viewHelpers.format(gettext("Delete the user, {username}"), {username:user.username}) %></span>
             </a>
         </li>
     </ul>
diff --git a/cms/templates/js/video/transcripts/messages/transcripts-import.underscore b/cms/templates/js/video/transcripts/messages/transcripts-import.underscore
index 7cc544488c4..52294661125 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-import.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-import.underscore
@@ -1,16 +1,16 @@
-<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%= gettext("No EdX Timed Transcript") %></div>
+<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%- gettext("No EdX Timed Transcript") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX doesn't have a timed transcript for this video in Studio, but we found a transcript on YouTube. You can import the YouTube transcript or upload your own .srt transcript file.") %>
+<%- gettext("EdX doesn't have a timed transcript for this video in Studio, but we found a transcript on YouTube. You can import the YouTube transcript or upload your own .srt transcript file.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-import" type="button" name="setting-import" value="<%= gettext("Import YouTube Transcript") %>" data-tooltip="<%= gettext("Import YouTube Transcript") %>">
-        <span><%= gettext("Import YouTube Transcript") %></span>
+    <button class="action setting-import" type="button" name="setting-import" value="<%- gettext("Import YouTube Transcript") %>" data-tooltip="<%- gettext("Import YouTube Transcript") %>">
+        <span><%- gettext("Import YouTube Transcript") %></span>
     </button>
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New .srt Transcript") %>">
-        <span><%= gettext("Upload New Transcript") %></span>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New .srt Transcript") %>">
+        <span><%- gettext("Upload New Transcript") %></span>
     </button>
 </div>
diff --git a/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore b/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore
index 6bb74c635ee..daa33a1f69e 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-not-found.underscore
@@ -1,16 +1,16 @@
-<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%= gettext("No Timed Transcript") %></div>
+<div class="transcripts-message-status status-error"><span class="icon fa fa-remove" aria-hidden="true"></span><%- gettext("No Timed Transcript") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX doesn\'t have a timed transcript for this video. Please upload an .srt file.") %>
+<%- gettext("EdX doesn\'t have a timed transcript for this video. Please upload an .srt file.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New Transcript") %>">
-        <%= gettext("Upload New Transcript") %>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New Transcript") %>">
+        <%- gettext("Upload New Transcript") %>
     </button>
-    <a class="action setting-download is-disabled" aria-disabled="true" href="javascropt: void(0);" data-tooltip="<%= gettext("Download Transcript for Editing") %>">
-        <%= gettext("Download Transcript for Editing") %>
+    <a class="action setting-download is-disabled" aria-disabled="true" href="javascropt: void(0);" data-tooltip="<%- gettext("Download Transcript for Editing") %>">
+        <%- gettext("Download Transcript for Editing") %>
     </a>
 </div>
diff --git a/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore b/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore
index fa63c200b6c..ddd91aa1d55 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-replace.underscore
@@ -1,17 +1,17 @@
 <div class="transcripts-message-status status-error">
     <span class="icon fa fa-remove" aria-hidden="true"></span>
-    <%= gettext("Timed Transcript Conflict") %>
+    <%- gettext("Timed Transcript Conflict") %>
 </div>
 
 <p class="transcripts-message">
-    <%= gettext("The timed transcript for this video on edX is out of date, but YouTube has a current timed transcript for this video.") %>
+    <%- gettext("The timed transcript for this video on edX is out of date, but YouTube has a current timed transcript for this video.") %>
     <strong>
-        <%= gettext("Do you want to replace the edX transcript with the YouTube transcript?") %>
+        <%- gettext("Do you want to replace the edX transcript with the YouTube transcript?") %>
     </strong>
 </p>
 
 <p class="transcripts-error-message is-invisible">
-    <%= gettext("Error.") %>
+    <%- gettext("Error.") %>
 </p>
 
 <div class="wrapper-transcripts-buttons">
@@ -19,11 +19,11 @@
         class="action setting-replace"
         type="button"
         name="setting-replace"
-        value="<%= gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
-        data-tooltip="<%= gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
+        value="<%- gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
+        data-tooltip="<%- gettext("Yes, replace the edX transcript with the YouTube transcript") %>"
     >
         <span>
-            <%= gettext("Yes, replace the edX transcript with the YouTube transcript") %>
+            <%- gettext("Yes, replace the edX transcript with the YouTube transcript") %>
         </span>
     </button>
 </div>
diff --git a/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore b/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore
index 4740d280e53..5f93f1d28c3 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-uploaded.underscore
@@ -1,16 +1,16 @@
-<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%= gettext("Timed Transcript Uploaded Successfully") %></div>
+<div class="transcripts-message-status"><span class="icon fa fa-check" aria-hidden="true"></span><%- gettext("Timed Transcript Uploaded Successfully") %></div>
 <p class="transcripts-message">
-<%= gettext("EdX has a timed transcript for this video. If you want to replace this transcript, upload a new .srt transcript file. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript.") %>
+<%- gettext("EdX has a timed transcript for this video. If you want to replace this transcript, upload a new .srt transcript file. If you want to edit this transcript, you can download, edit, and re-upload the existing transcript.") %>
 </p>
 <div class="transcripts-file-uploader"></div>
 <p class="transcripts-error-message is-invisible">
-<%= gettext("Error.") %>
+<%- gettext("Error.") %>
 </p>
 <div class="wrapper-transcripts-buttons">
-    <button class="action setting-upload" type="button" name="setting-upload" value="<%= gettext("Upload New Transcript") %>" data-tooltip="<%= gettext("Upload New Transcript") %>">
-        <span><%= gettext("Upload New Transcript") %></span>
+    <button class="action setting-upload" type="button" name="setting-upload" value="<%- gettext("Upload New Transcript") %>" data-tooltip="<%- gettext("Upload New Transcript") %>">
+        <span><%- gettext("Upload New Transcript") %></span>
     </button>
-    <a class="action setting-download" href="/transcripts/download?locator=<%= component_locator %>" data-tooltip="<%= gettext("Download Transcript for Editing") %>">
-        <span><%= gettext("Download Transcript for Editing") %></span>
+    <a class="action setting-download" href="/transcripts/download?locator=<%- component_locator %>" data-tooltip="<%- gettext("Download Transcript for Editing") %>">
+        <span><%- gettext("Download Transcript for Editing") %></span>
     </a>
 </div>
diff --git a/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore b/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore
index c884e8bf233..64c81664c4a 100644
--- a/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore
+++ b/cms/templates/js/video/transcripts/messages/transcripts-use-existing.underscore
@@ -1,16 +1,16 @@
 <div class="transcripts-message-status status-error">
     <span class="icon fa fa-remove" aria-hidden="true"></span>
-    <%= gettext("Confirm Timed Transcript") %>
+    <%- gettext("Confirm Timed Transcript") %>
 </div>
 
 <p class="transcripts-message">
-    <%= gettext("You changed a video URL, but did not change the timed transcript file. Do you want to use the current timed transcript or upload a new .srt transcript file?") %>
+    <%- gettext("You changed a video URL, but did not change the timed transcript file. Do you want to use the current timed transcript or upload a new .srt transcript file?") %>
 </p>
 
 <div class="transcripts-file-uploader"></div>
 
 <p class="transcripts-error-message is-invisible">
-    <%= gettext("Error.") %>
+    <%- gettext("Error.") %>
 </p>
 
 <div class="wrapper-transcripts-buttons">
@@ -18,22 +18,22 @@
         class="action setting-use-existing"
         type="button"
         name="setting-use-existing"
-        value="<%= gettext("Use Current Transcript") %>"
-        data-tooltip="<%= gettext("Use Current Transcript") %>"
+        value="<%- gettext("Use Current Transcript") %>"
+        data-tooltip="<%- gettext("Use Current Transcript") %>"
     >
         <span>
-            <%= gettext("Use Current Transcript") %>
+            <%- gettext("Use Current Transcript") %>
         </span>
     </button>
     <button
         class="action setting-upload"
         type="button"
         name="setting-upload"
-        value="<%= gettext("Upload New Transcript") %>"
-        data-tooltip="<%= gettext("Upload New Transcript") %>"
+        value="<%- gettext("Upload New Transcript") %>"
+        data-tooltip="<%- gettext("Upload New Transcript") %>"
     >
         <span>
-            <%= gettext("Upload New Transcript") %>
+            <%- gettext("Upload New Transcript") %>
         </span>
     </button>
 </div>
diff --git a/cms/templates/js/xblock-outline.underscore b/cms/templates/js/xblock-outline.underscore
index 59ee9a98168..0312389fbff 100644
--- a/cms/templates/js/xblock-outline.underscore
+++ b/cms/templates/js/xblock-outline.underscore
@@ -1,13 +1,13 @@
 <% if (parentInfo) { %>
-<li class="outline-item outline-item-<%= xblockType %> <%= includesChildren ? 'is-collapsible' : '' %> is-draggable <%= isCollapsed ? 'is-collapsed' : '' %>"
-    data-parent="<%= parentInfo.get('id') %>" data-locator="<%= xblockInfo.get('id') %>">
+<li class="outline-item outline-item-<%- xblockType %> <%- includesChildren ? 'is-collapsible' : '' %> is-draggable <%- isCollapsed ? 'is-collapsed' : '' %>"
+    data-parent="<%- parentInfo.get('id') %>" data-locator="<%- xblockInfo.get('id') %>">
     <span class="draggable-drop-indicator draggable-drop-indicator-before"><span class="icon fa fa-caret-right" aria-hidden="true"></span></span>
 
     <div class="wrapper-xblock-header">
         <div class="wrapper-xblock-header-primary">
             <% if (includesChildren) { %>
-                <h3 class="xblock-title expand-collapse <%= isCollapsed ? 'expand' : 'collapse' %>"
-                    title="<%= interpolate(
+                <h3 class="xblock-title expand-collapse <%- isCollapsed ? 'expand' : 'collapse' %>"
+                    title="<%- interpolate(
                           gettext('Collapse/Expand this %(xblock_type)s'), { xblock_type: xblockTypeDisplayName }, true
                     ) %>"
                 >
@@ -17,7 +17,7 @@
             <% } %>
 
                 <% if (xblockInfo.get('studio_url') && xblockInfo.get('category') !== 'chapter') { %>
-                    <a href="<%= xblockInfo.get('studio_url') %>"><%- xblockInfo.get('display_name') %></a>
+                    <a href="<%- xblockInfo.get('studio_url') %>"><%- xblockInfo.get('display_name') %></a>
                 <% } else { %>
                     <span class="wrapper-xblock-field is-editable" data-field="display_name">
                         <span class="xblock-field-value"><%- xblockInfo.get('display_name') %></span>
@@ -28,9 +28,9 @@
             <div class="item-actions">
                 <ul class="actions-list">
                     <li class="action-item action-delete">
-                        <a href="#" data-tooltip="<%= gettext('Delete') %>" class="delete-button action-button">
+                        <a href="#" data-tooltip="<%- gettext('Delete') %>" class="delete-button action-button">
                             <span class="icon fa fa-remove" aria-hidden="true"></span>
-                            <span class="sr"><%= gettext('Delete') %></span>
+                            <span class="sr"><%- gettext('Delete') %></span>
                         </a>
                     </li>
                 </ul>
@@ -40,7 +40,7 @@
             <% if (xblockInfo.get('release_date')) { %>
                 <div class="meta-info">
                     <span class="icon fa fa-clock-o" aria-hidden="true"></span>
-                    <%= gettext('Released:') %> <%= xblockInfo.get('release_date') %>
+                    <%- gettext('Released:') %> <%- xblockInfo.get('release_date') %>
                 </div>
             <% } %>
 
@@ -54,30 +54,30 @@
 <% } %>
     <% if (!parentInfo && xblockInfo.get('child_info') && xblockInfo.get('child_info').children.length === 0) { %>
         <div class="no-content add-xblock-component">
-            <p><%= gettext("You haven't added any content to this course yet.") %>
-                <a href="#" class="button button-new" data-category="<%= childCategory %>"
-                   data-parent="<%= xblockInfo.get('id') %>" data-default-name="<%= defaultNewChildName %>"
-                   title="<%= interpolate(
+            <p><%- gettext("You haven't added any content to this course yet.") %>
+                <a href="#" class="button button-new" data-category="<%- childCategory %>"
+                   data-parent="<%- xblockInfo.get('id') %>" data-default-name="<%- defaultNewChildName %>"
+                   title="<%- interpolate(
                          gettext('Click to add a new %(xblock_type)s'), { xblock_type: defaultNewChildName }, true
                    ) %>"
                 >
-                    <span class="icon fa fa-plus" aria-hidden="true"></span><%= addChildLabel %>
+                    <span class="icon fa fa-plus" aria-hidden="true"></span><%- addChildLabel %>
                 </a>
             </p>
         </div>
     <% } else { %>
-        <ol class="sortable-list sortable-<%= xblockType %>-list">
+        <ol class="sortable-list sortable-<%- xblockType %>-list">
         </ol>
 
         <% if (childType) { %>
             <div class="add-xblock-component">
-                <a href="#" class="button button-new" data-category="<%= childCategory %>"
-                   data-parent="<%= xblockInfo.get('id') %>" data-default-name="<%= defaultNewChildName %>"
-                   title="<%= interpolate(
+                <a href="#" class="button button-new" data-category="<%- childCategory %>"
+                   data-parent="<%- xblockInfo.get('id') %>" data-default-name="<%- defaultNewChildName %>"
+                   title="<%- interpolate(
                          gettext('Click to add a new %(xblock_type)s'), { xblock_type: defaultNewChildName }, true
                    ) %>"
                 >
-                    <span class="icon fa fa-plus" aria-hidden="true"></span><%= addChildLabel %>
+                    <span class="icon fa fa-plus" aria-hidden="true"></span><%- addChildLabel %>
                 </a>
             </div>
         <% } %>

From 7a08015e4def3a4bc9fde403242c64e0814d952e Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Thu, 27 Aug 2020 17:28:36 -0500
Subject: [PATCH 7/8] Reverting change on a template to prevent LMS tests
 failure

---
 .../cors_csrf/templates/cors_csrf/xdomain_proxy.html  | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html b/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html
index 7c74321daad..66d1a4a31ad 100644
--- a/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html
+++ b/openedx/core/djangoapps/cors_csrf/templates/cors_csrf/xdomain_proxy.html
@@ -1,12 +1,5 @@
-<%page expression_filter="h"/>
-
 <%namespace name='static' file='../static_content.html'/>
-<%!
-from openedx.core.djangolib.js_utils import (
-    dump_js_escaped_json
-)
-%>
-<%! import json %>
+
 <!DOCTYPE HTML>
 <script src="${static.url('js/vendor/xdomain.min.js')}"></script>
-<script>xdomain.masters(${json.loads(xdomain_masters) | n, dump_js_escaped_json});</script>
+<script>xdomain.masters(${xdomain_masters});</script>

From 9009788a24b03a87196671382163e1009a895a9d Mon Sep 17 00:00:00 2001
From: jfavellar90 <jhony.avella@edunext.co>
Date: Mon, 31 Aug 2020 15:49:48 -0500
Subject: [PATCH 8/8] New Juniper XSS vulnerabilities patch V3

---
 cms/static/js/views/baseview.js               |  1 +
 cms/static/js/views/license.js                |  2 +-
 cms/static/js/views/list.js                   |  5 ++--
 cms/static/js/views/manage_users_and_roles.js |  8 +++----
 cms/static/js/views/uploads.js                | 10 ++++----
 .../video/transcripts/message_manager.js      | 23 ++++++++-----------
 .../js/views/xblock_string_field_editor.js    | 11 +++++----
 7 files changed, 31 insertions(+), 29 deletions(-)

diff --git a/cms/static/js/views/baseview.js b/cms/static/js/views/baseview.js
index a09f4a7e68e..62631450962 100644
--- a/cms/static/js/views/baseview.js
+++ b/cms/static/js/views/baseview.js
@@ -44,6 +44,7 @@ define(['jquery', 'underscore', 'backbone', 'gettext', 'js/utils/handle_iframe_b
                 this.options = options;
 
                 var _this = this;
+                // xss-lint: disable=javascript-jquery-insertion
                 this.render = _.wrap(this.render, function(render, options) {
                     _this.beforeRender();
                     render(options);
diff --git a/cms/static/js/views/license.js b/cms/static/js/views/license.js
index 77357431c81..d88f0e167de 100644
--- a/cms/static/js/views/license.js
+++ b/cms/static/js/views/license.js
@@ -82,7 +82,7 @@ define([
         },
 
         render: function() {
-            this.$el.html(_.template(licenseSelectorTemplate)({
+            edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.template(licenseSelectorTemplate)({
                 model: this.model.attributes,
                 licenseString: this.model.toString() || '',
                 licenseInfo: this.licenseInfo,
diff --git a/cms/static/js/views/list.js b/cms/static/js/views/list.js
index 7ec03927f2a..4e8a4aecb70 100644
--- a/cms/static/js/views/list.js
+++ b/cms/static/js/views/list.js
@@ -38,7 +38,7 @@ define([
         },
 
         render: function(model) {
-            this.$el.html(this.template({
+            var template = this.template({
                 itemCategoryDisplayName: this.itemCategoryDisplayName,
                 newItemMessage: this.newItemMessage,
                 emptyMessage: this.emptyMessage,
@@ -46,7 +46,8 @@ define([
                 isEditing: model && model.get('editing'),
                 canCreateNewItem: this.canCreateItem(this.collection),
                 restrictEditing: this.restrictEditing
-            }));
+            });
+            edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.HTML(template));
 
             this.collection.each(function(model) {
                 this.$(this.listContainerCss).append(
diff --git a/cms/static/js/views/manage_users_and_roles.js b/cms/static/js/views/manage_users_and_roles.js
index 76fd8e16328..18244a973b9 100644
--- a/cms/static/js/views/manage_users_and_roles.js
+++ b/cms/static/js/views/manage_users_and_roles.js
@@ -1,9 +1,9 @@
 /*
  Code for editing users and assigning roles within a course or library team context.
  */
-define(['jquery', 'underscore', 'gettext', 'js/views/baseview',
-    'common/js/components/views/feedback_prompt', 'common/js/components/utils/view_utils'],
-    function($, _, gettext, BaseView, PromptView, ViewUtils) {
+define(['jquery', 'underscore', 'gettext', 'js/views/baseview', 'common/js/components/views/feedback_prompt',
+    'common/js/components/utils/view_utils', 'edx-ui-toolkit/js/utils/html-utils'],
+    function($, _, gettext, BaseView, PromptView, ViewUtils, HtmlUtils) {
         'use strict';
         var default_messages = {
             defaults: {
@@ -157,7 +157,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/baseview',
                         viewHelpers: viewHelpers
                     };
 
-                    this.$userList.append(templateFn(template_data));
+                    this.$userList.append(HtmlUtils.HTML(templateFn(template_data)).toString());
                 }
             },
 
diff --git a/cms/static/js/views/uploads.js b/cms/static/js/views/uploads.js
index b93cf324e39..c71d5bf060a 100644
--- a/cms/static/js/views/uploads.js
+++ b/cms/static/js/views/uploads.js
@@ -1,5 +1,7 @@
-define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery.form'],
-    function($, _, gettext, BaseModal) {
+define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'edx-ui-toolkit/js/utils/html-utils',
+    'jquery.form'],
+    function($, _, gettext, BaseModal, HtmlUtils) {
+        'use strict';
         var UploadDialog = BaseModal.extend({
             events: _.extend({}, BaseModal.prototype.events, {
                 'change input[type=file]': 'selectFile',
@@ -42,7 +44,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery
                 // a blank input to prompt the user to upload a different (valid) file.
                 if (selectedFile && isValid) {
                     $(oldInput).removeClass('error');
-                    this.$('input[type=file]').replaceWith(oldInput);
+                    this.$('input[type=file]').replaceWith(HtmlUtils.ensureHtml(oldInput).toString());
                     this.$('.action-upload').removeClass('disabled');
                 } else {
                     this.$('.action-upload').addClass('disabled');
@@ -53,7 +55,7 @@ define(['jquery', 'underscore', 'gettext', 'js/views/modals/base_modal', 'jquery
             getContentHtml: function() {
                 return this.template({
                     url: this.options.url || CMS.URL.UPLOAD_ASSET,
-                    message: this.model.escape('message'),
+                    message: this.model.get('message'),
                     selectedFile: this.model.get('selectedFile'),
                     uploading: this.model.get('uploading'),
                     uploadedBytes: this.model.get('uploadedBytes'),
diff --git a/cms/static/js/views/video/transcripts/message_manager.js b/cms/static/js/views/video/transcripts/message_manager.js
index 84d673410ba..8c645e3a387 100644
--- a/cms/static/js/views/video/transcripts/message_manager.js
+++ b/cms/static/js/views/video/transcripts/message_manager.js
@@ -74,16 +74,15 @@ function($, Backbone, _, Utils, FileUploader, gettext) {
                 return this;
             }
 
-            template = _.template(tplHtml);
+            template = edx.HtmlUtils.template(tplHtml);
 
-            this.$el.find('.transcripts-status')
-                .removeClass('is-invisible')
-                .find(this.elClass).html(template({
-                    component_locator: encodeURIComponent(this.component_locator),
-                    html5_list: html5List,
-                    grouped_list: groupedList,
-                    subs_id: (params) ? params.subs : ''
-                }));
+            edx.HtmlUtils.setHtml(
+            this.$el.find('.transcripts-status').removeClass('is-invisible').find(this.elClass), template({
+                component_locator: encodeURIComponent(this.component_locator),
+                html5_list: html5List,
+                grouped_list: groupedList,
+                subs_id: (params) ? params.subs : ''
+            }));
 
             this.fileUploader.render();
 
@@ -106,11 +105,7 @@ function($, Backbone, _, Utils, FileUploader, gettext) {
             if (err) {
                 // Hide any other error messages.
                 this.hideError();
-
-                $error
-                    .html(gettext(err))
-                    .removeClass(this.invisibleClass);
-
+                edx.HtmlUtils.setHtml($error, gettext(err)).removeClass(this.invisibleClass);
                 if (hideButtons) {
                     this.$el.find('.wrapper-transcripts-buttons')
                         .addClass(this.invisibleClass);
diff --git a/cms/static/js/views/xblock_string_field_editor.js b/cms/static/js/views/xblock_string_field_editor.js
index d9eeb14fce7..e847c727362 100644
--- a/cms/static/js/views/xblock_string_field_editor.js
+++ b/cms/static/js/views/xblock_string_field_editor.js
@@ -5,8 +5,9 @@
  * XBlock field's value if it has been changed. If the user presses Escape, then any changes will
  * be removed and the input hidden again.
  */
-define(['js/views/baseview', 'js/views/utils/xblock_utils'],
-    function(BaseView, XBlockViewUtils) {
+define(['js/views/baseview', 'js/views/utils/xblock_utils', 'edx-ui-toolkit/js/utils/html-utils'],
+    function(BaseView, XBlockViewUtils, HtmlUtils) {
+        'use strict';
         var XBlockStringFieldEditor = BaseView.extend({
             events: {
                 'click .xblock-field-value-edit': 'showInput',
@@ -29,11 +30,13 @@ define(['js/views/baseview', 'js/views/utils/xblock_utils'],
             },
 
             render: function() {
-                this.$el.append(this.template({
+                var attributes = {
+                    // xss-lint: disable=javascript-escape
                     value: this.model.escape(this.fieldName),
                     fieldName: this.fieldName,
                     fieldDisplayName: this.fieldDisplayName
-                }));
+                };
+                this.$el.append(HtmlUtils.HTML(this.template(attributes)).toString());
                 return this;
             },