Merge pull request #196 from edx/sustaining/security-fixes-4

Sustaining/security fixes 4

cms/static/js/views/container.js

@@ -1,9 +1,9 @@
 define([
     'jquery', 'underscore', 'js/views/xblock', 'js/utils/module',
-    'gettext', 'common/js/components/views/feedback_notification',
-    'jquery.ui'
+    'gettext', 'edx-ui-toolkit/js/utils/string-utils',
+    'common/js/components/views/feedback_notification', 'jquery.ui'
 ], // The container view uses sortable, which is provided by jquery.ui.
-    function($, _, XBlockView, ModuleUtils, gettext, NotificationView) {
+    function($, _, XBlockView, ModuleUtils, gettext, StringUtils, NotificationView) {
         'use strict';
 
         var studioXBlockWrapperClass = '.studio-xblock-wrapper';
@@ -142,7 +142,15 @@ define([
             },
 
             makeRequestSpecificSelector: function(selector) {
-                return 'div.xblock[data-request-token="' + this.requestToken + '"] > ' + selector;
+                return StringUtils.interpolate(
+                    gettext('{startTag}{requestToken}{endTag}{selector}'),
+                    {
+                        startTag: 'div.xblock[data-request-token="',
+                        requestToken: this.requestToken,
+                        endTag: '"] > ',
+                        selector: selector
+                    }
+                );
             }
         });
 

cms/static/js/views/experiment_group_edit.js

@@ -29,7 +29,7 @@ function(BaseView, _, str, gettext, groupEditTemplate) {
             var collection = this.model.collection,
                 index = collection.indexOf(this.model);
 
-            this.$el.html(_.template(groupEditTemplate)({
+            edx.HtmlUtils.setHtml(this.$el, edx.HtmlUtils.template(groupEditTemplate)({
                 name: this.model.get('name'),
                 allocation: this.getAllocation(),
                 index: index,

cms/static/js/views/learning_info.js

@@ -5,9 +5,10 @@ define([
     'underscore',
     'backbone',
     'gettext',
-    'js/utils/templates'
+    'js/utils/templates',
+    'edx-ui-toolkit/js/utils/html-utils'
 ],
-function($, _, Backbone, gettext, TemplateUtils) {
+function($, _, Backbone, gettext, TemplateUtils, HtmlUtils) {
     'use strict';
     var LearningInfoView = Backbone.View.extend({
 
@@ -33,7 +34,12 @@ function($, _, Backbone, gettext, TemplateUtils) {
             var self = this;
             var learning_information = this.model.get('learning_info');
             $.each(learning_information, function(index, info) {
-                $(self.el).append(self.template({index: index, info: info, info_count: learning_information.length}));
+                var attributes = {
+                    index: index,
+                    info: info,
+                    info_count: learning_information.length
+                };
+                $(self.el).append(HtmlUtils.HTML(self.template(attributes)).toString());
             });
         },
 

cms/static/js/views/list_item.js

@@ -12,9 +12,10 @@
  *   to the DOM.
  */
 define([
-    'js/views/baseview', 'jquery', 'gettext', 'common/js/components/utils/view_utils'
+    'js/views/baseview', 'jquery', 'gettext',
+    'common/js/components/utils/view_utils', 'edx-ui-toolkit/js/utils/html-utils'
 ], function(
-    BaseView, $, gettext, ViewUtils
+    BaseView, $, gettext, ViewUtils, HtmlUtils
 ) {
     'use strict';
 
@@ -81,7 +82,7 @@ define([
                 this.view = this.createDetailsView();
             }
 
-            this.$el.html(this.view.render().el);
+            this.$el.html(HtmlUtils.HTML(this.view.render().el).toString());
 
             return this;
         }