Make html escaping the default mako filter

Description

Mako is currently configured to output strings without encoding them by default, which makes it easy to introduce XSS (cross-site scripting) vulnerabilities in our website. These vulnerabilities can be mitigated on a case-by-case basis, but changing Mako to HTML-escape strings by default will make these vulnerabilities much less pervasive. We should make that change: the relevant change is in common/djangoapps/edxmako/paths.py, in the add_lookup method: the DynamicTemplateLookup object should be created with the h filter in the default_filters list. Docs are here.

Note that content created by course authors on edx.org almost certainly takes advantage of this vulnerability to include arbitrary Javascript and CSS in courses. When we make this change, we'll need to communicate it to course authors well in advance.

made a pull request to make this change: PR 4576. rebased this PR and kept it up to date for awhile: PR 6378. However, neither one was actually merged.

Steps to Reproduce

None

Current Behavior

None

Expected Behavior

None

Reason for Variance

None

Release Notes

None

User Impact Summary

None

Assignee

Unassigned

Reporter

David Baumgold

Labels

Reach

None

Impact

None

Platform Area

None

Customer

None

Partner Manager

None

URL

None

Contributor Name

None

Groups with Read-Only Access

None

Actual Points

None

Category of Work

None

Platform Map Area (Levels 1 & 2)

None

Platform Map Area (Levels 3 & 4)

None

Story Points

34

Priority

Unset
Configure