[LON-CAPA-cvs] cvs: loncom /auth lonroles.pm /homework grades.pm /imspackages imsimport.pm /interface coursecatalog.pm courseprefs.pm createaccount.pm domainprefs.pm loncommon.pm lonconfigsettings.pm loncourserespicker.pm loncreatecourse.pm loncreateuser.pm londocs.pm lonextresedit.pm lonfeedback.pm lonhtmlcommon.pm lonmodifycourse.pm lonmsgdisplay.pm lonpdfupload.pm lonpopulate.pm lonrequestcourse.pm lonsupportreq.pm lonsyllabus.pm lonuserutils.pm lonwishlist.pm selfenroll.pm /interface/statistics lonstathelpers.pm /localize lonlocal.pm /publisher lonpubmenu.pm

damieng damieng at source.lon-capa.org
Tue Jun 9 17:23:29 EDT 2015


damieng		Tue Jun  9 21:23:29 2015 EDT

  Modified files:              
    /loncom/auth	lonroles.pm 
    /loncom/homework	grades.pm 
    /loncom/imspackages	imsimport.pm 
    /loncom/interface	coursecatalog.pm courseprefs.pm createaccount.pm 
                     	domainprefs.pm loncommon.pm lonconfigsettings.pm 
                     	loncourserespicker.pm loncreatecourse.pm 
                     	loncreateuser.pm londocs.pm lonextresedit.pm 
                     	lonfeedback.pm lonhtmlcommon.pm 
                     	lonmodifycourse.pm lonmsgdisplay.pm 
                     	lonpdfupload.pm lonpopulate.pm 
                     	lonrequestcourse.pm lonsupportreq.pm 
                     	lonsyllabus.pm lonuserutils.pm lonwishlist.pm 
                     	selfenroll.pm 
    /loncom/interface/statistics	lonstathelpers.pm 
    /loncom/localize	lonlocal.pm 
    /loncom/publisher	lonpubmenu.pm 
  Log:
  fixed bug 6782, and escaped most localized messages used in Javascript blocks to make sure bugs like that do not happen again
  
-------------- next part --------------
Index: loncom/auth/lonroles.pm
diff -u loncom/auth/lonroles.pm:1.311 loncom/auth/lonroles.pm:1.312
--- loncom/auth/lonroles.pm:1.311	Mon Apr 13 18:32:43 2015
+++ loncom/auth/lonroles.pm	Tue Jun  9 21:22:44 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # User Roles Screen
 #
-# $Id: lonroles.pm,v 1.311 2015/04/13 18:32:43 raeburn Exp $
+# $Id: lonroles.pm,v 1.312 2015/06/09 21:22:44 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -747,7 +747,7 @@
         $cattype = $domdefs{'catauth'};
     }
     my $funcs = &get_roles_functions($showcount,$cattype);
-    $standby=~s/\n/\\n/g;
+    &js_escape(\$standby);
     my $noscript='<br /><span class="LC_error">'.&mt('Use of LON-CAPA requires Javascript to be enabled in your web browser.').'<br />'.&mt('As this is not the case, most functionality in the system will be unavailable.').'</span><br />';
 
     $r->print(<<ENDHEADER);
@@ -1760,10 +1760,11 @@
 }
 
 sub coursepick_jscript {
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                   plsu => "Please use the 'Select Course/Community' link to open a separate pick course window where you may select the course or community you wish to enter.",
                   youc => 'You can only use this screen to select courses and communities in the current domain.',
              );
+    &js_escape(\%js_lt);
     my $verify_script = <<"END";
 <script type="text/javascript">
 // <![CDATA[
@@ -1780,11 +1781,11 @@
             }
         }
         else {
-            alert("$lt{'plsu'}");
+            alert("$js_lt{'plsu'}");
         }
     }
     else {
-        alert("$lt{'youc'}")
+        alert("$js_lt{'youc'}")
     }
 }
 function getIndex(caller) {
Index: loncom/homework/grades.pm
diff -u loncom/homework/grades.pm:1.735 loncom/homework/grades.pm:1.736
--- loncom/homework/grades.pm:1.735	Wed Mar 18 12:53:24 2015
+++ loncom/homework/grades.pm	Tue Jun  9 21:22:48 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # The LON-CAPA Grading handler
 #
-# $Id: grades.pm,v 1.735 2015/03/18 12:53:24 raeburn Exp $
+# $Id: grades.pm,v 1.736 2015/06/09 21:22:48 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -857,10 +857,11 @@
     my $res_error;
     my ($partlist,$handgrade,$responseType) = &response_type($symb,\$res_error);
 
-    my %lt = &Apache::lonlocal::texthash (
+    my %js_lt = &Apache::lonlocal::texthash (
 		'multiple' => 'Please select a student or group of students before clicking on the Next button.',
 		'single'   => 'Please select the student before clicking on the Next button.',
 	     );
+    &js_escape(\%js_lt);
     $request->print(&Apache::lonhtmlcommon::scripttag(<<LISTJAVASCRIPT));
     function checkSelect(checkBox) {
 	var ctr=0;
@@ -871,12 +872,12 @@
 		    ctr++;
 		}
 	    }
-	    sense = '$lt{'multiple'}';
+	    sense = '$js_lt{'multiple'}';
 	} else {
 	    if (checkBox.checked) {
 		ctr = 1;
 	    }
-	    sense = '$lt{'single'}';
+	    sense = '$js_lt{'single'}';
 	}
 	if (ctr == 0) {
 	    alert(sense);
@@ -1177,7 +1178,8 @@
 #--- Javascript to handle the submission page functionality ---
 sub sub_page_js {
     my $request = shift;
-	    my $alertmsg = &mt('A number equal or greater than 0 is expected. Entered value = ');
+    my $alertmsg = &mt('A number equal or greater than 0 is expected. Entered value = ');
+    &js_escape(\$alertmsg);
     $request->print(&Apache::lonhtmlcommon::scripttag(<<SUBJAVASCRIPT));
     function updateRadio(formname,id,weight) {
 	var gradeBox = formname["GD_BOX"+id];
@@ -1422,10 +1424,21 @@
 
     my $docopen=&Apache::lonhtmlcommon::javascript_docopen();
     $docopen=~s/^document\.//;
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                 keyw => 'Keywords list, separated by a space. Add/delete to list if desired.',
                 plse => 'Please select a word or group of words from document and then click this link.',
                 adds => 'Add selection to keyword list? Edit if desired.',
+                col1 => 'red',
+                col2 => 'green',
+                col3 => 'blue',
+                siz1 => 'normal',
+                siz2 => '+1',
+                siz3 => '+2',
+                sty1 => 'normal',
+                sty2 => 'italic',
+                sty3 => 'bold',
+             );
+    my %html_js_lt = &Apache::lonlocal::texthash(
                 comp => 'Compose Message for: ',
                 incl => 'Include',
                 type => 'Type',
@@ -1438,21 +1451,15 @@
                 txtc => 'Text Color',
                 font => 'Font Size',
                 fnst => 'Font Style',
-                col1 => 'red',
-                col2 => 'green',
-                col3 => 'blue',
-                siz1 => 'normal',
-                siz2 => '+1',
-                siz3 => '+2',
-                sty1 => 'normal',
-                sty2 => 'italic',
-                sty3 => 'bold',
              );
+    &js_escape(\%js_lt);
+    &html_escape(\%html_js_lt);
+    &js_escape(\%html_js_lt);
     $request->print(&Apache::lonhtmlcommon::scripttag(<<SUBJAVASCRIPT));
 
 //===================== Show list of keywords ====================
   function keywords(formname) {
-    var nret = prompt("$lt{'keyw'}",formname.keywords.value);
+    var nret = prompt("$js_lt{'keyw'}",formname.keywords.value);
     if (nret==null) return;
     formname.keywords.value = nret;
 
@@ -1479,10 +1486,10 @@
     else return;
     var cleantxt = txt.replace(new RegExp('([\\f\\n\\r\\t\\v ])+', 'g')," ");
     if (cleantxt=="") {
-	alert("$lt{'plse'}");
+	alert("$js_lt{'plse'}");
 	return;
     }
-    var nret = prompt("$lt{'adds'}",cleantxt);
+    var nret = prompt("$js_lt{'adds'}",cleantxt);
     if (nret==null) return;
     document.SCORE.keywords.value = document.SCORE.keywords.value+" "+nret;
     if (document.SCORE.keywords.value != "") {
@@ -1562,16 +1569,16 @@
 
     pDoc.write("<form action=\\"inactive\\" name=\\"msgcenter\\">");
     pDoc.write("<input value=\\""+usrctr+"\\" name=\\"usrctr\\" type=\\"hidden\\">");
-    pDoc.write("<h1> $lt{'comp'}\"+fullname+\"<\\/h1>");
+    pDoc.write("<h1> $html_js_lt{'comp'}\"+fullname+\"<\\/h1>");
 
     pDoc.write('<table style="border:1px solid black;"><tr>');
-    pDoc.write("<td><b>$lt{'incl'}<\\/b><\\/td><td><b>$lt{'type'}<\\/b><\\/td><td><b>$lt{'mesa'}<\\/td><\\/tr>");
+    pDoc.write("<td><b>$html_js_lt{'incl'}<\\/b><\\/td><td><b>$html_js_lt{'type'}<\\/b><\\/td><td><b>$html_js_lt{'mesa'}<\\/td><\\/tr>");
 }
     function displaySubject(msg,shwsel) {
     pDoc = pWin.document;
     pDoc.write("<tr>");
     pDoc.write("<td align=\\"center\\"><input name=\\"subchk\\" type=\\"checkbox\\"" +shwsel+"><\\/td>");
-    pDoc.write("<td>$lt{'subj'}<\\/td>");
+    pDoc.write("<td>$html_js_lt{'subj'}<\\/td>");
     pDoc.write("<td><input name=\\"msgsub\\" type=\\"text\\" value=\\""+msg+"\\"size=\\"40\\" maxlength=\\"80\\"><\\/td><\\/tr>");
 }
 
@@ -1587,7 +1594,7 @@
     pDoc = pWin.document;
     pDoc.write("<tr>");
     pDoc.write("<td align=\\"center\\"><input name=\\"newmsgchk\\" type=\\"checkbox\\"" +shwsel+"><\\/td>");
-    pDoc.write("<td align=\\"center\\">$lt{'new'}<\\/td>");
+    pDoc.write("<td align=\\"center\\">$html_js_lt{'new'}<\\/td>");
     pDoc.write("<td><textarea name=\\"newmsg\\" cols=\\"60\\" rows=\\"3\\" onchange=\\"javascript:this.form.newmsgchk.checked=true\\" >"+newmsg+"<\\/textarea><\\/td><\\/tr>");
 }
 
@@ -1595,8 +1602,8 @@
     pDoc = pWin.document;
     //pDoc.write("<\\/table>");
     pDoc.write("<\\/td><\\/tr><\\/table> ");
-    pDoc.write("<input type=\\"button\\" value=\\"$lt{'save'}\\" onclick=\\"javascript:checkInput()\\">  ");
-    pDoc.write("<input type=\\"button\\" value=\\"$lt{'canc'}\\" onclick=\\"self.close()\\"><br /><br />");
+    pDoc.write("<input type=\\"button\\" value=\\"$html_js_lt{'save'}\\" onclick=\\"javascript:checkInput()\\">  ");
+    pDoc.write("<input type=\\"button\\" value=\\"$html_js_lt{'canc'}\\" onclick=\\"self.close()\\"><br /><br />");
     pDoc.write("<\\/form>");
     pDoc.write('$end_page_msg_central');
     pDoc.close();
@@ -1610,15 +1617,15 @@
     var redsel = "";
     var grnsel = "";
     var blusel = "";
-    var txtcol1 = "$lt{'col1'}";
-    var txtcol2 = "$lt{'col2'}";
-    var txtcol3 = "$lt{'col3'}";
-    var txtsiz1 = "$lt{'siz1'}";
-    var txtsiz2 = "$lt{'siz2'}";
-    var txtsiz3 = "$lt{'siz3'}";
-    var txtsty1 = "$lt{'sty1'}";
-    var txtsty2 = "$lt{'sty2'}";
-    var txtsty3 = "$lt{'sty3'}";
+    var txtcol1 = "$js_lt{'col1'}";
+    var txtcol2 = "$js_lt{'col2'}";
+    var txtcol3 = "$js_lt{'col3'}";
+    var txtsiz1 = "$js_lt{'siz1'}";
+    var txtsiz2 = "$js_lt{'siz2'}";
+    var txtsiz3 = "$js_lt{'siz3'}";
+    var txtsty1 = "$js_lt{'sty1'}";
+    var txtsty2 = "$js_lt{'sty2'}";
+    var txtsty3 = "$js_lt{'sty3'}";
     if (kwclr=="red")   {var redsel="checked='checked'"};
     if (kwclr=="green") {var grnsel="checked='checked'"};
     if (kwclr=="blue")  {var blusel="checked='checked'"};
@@ -1655,10 +1662,10 @@
     hDoc.$docopen;
     hDoc.write('$start_page_highlight_central');
     hDoc.write("<form action=\\"inactive\\" name=\\"hlCenter\\">");
-    hDoc.write("<h1>$lt{'kehi'}<\\/h1>");
+    hDoc.write("<h1>$html_js_lt{'kehi'}<\\/h1>");
 
     hDoc.write('<table border="0" width="100%"><tr style="background-color:#A1D676">');
-    hDoc.write("<th>$lt{'txtc'}<\\/th><th>$lt{'font'}<\\/th><th>$lt{'fnst'}<\\/th><\\/tr>");
+    hDoc.write("<th>$html_js_lt{'txtc'}<\\/th><th>$html_js_lt{'font'}<\\/th><th>$html_js_lt{'fnst'}<\\/th><\\/tr>");
   }
 
   function highlightbody(clrval,clrtxt,clrsel,szval,sztxt,szsel,syval,sytxt,sysel) { 
@@ -1676,8 +1683,8 @@
   function highlightend() { 
     var hDoc = hwdWin.document;
     hDoc.write("<\\/table><br \\/>");
-    hDoc.write("<input type=\\"button\\" value=\\"$lt{'save'}\\" onclick=\\"javascript:updateChoice(1)\\" \\/>  ");
-    hDoc.write("<input type=\\"button\\" value=\\"$lt{'canc'}\\" onclick=\\"self.close()\\" \\/><br /><br />");
+    hDoc.write("<input type=\\"button\\" value=\\"$html_js_lt{'save'}\\" onclick=\\"javascript:updateChoice(1)\\" \\/>  ");
+    hDoc.write("<input type=\\"button\\" value=\\"$html_js_lt{'canc'}\\" onclick=\\"self.close()\\" \\/><br /><br />");
     hDoc.write("<\\/form>");
     hDoc.write('$end_page_highlight_central');
     hDoc.close();
@@ -3379,6 +3386,7 @@
     my ($request) = shift;
 
     my $alertmsg = &mt('A number equal or greater than 0 is expected. Entered value = ');
+    &js_escape(\$alertmsg);
     $request->print(&Apache::lonhtmlcommon::scripttag(<<VIEWJAVASCRIPT));
    function writePoint(partid,weight,point) {
 	var radioButton = document.classgrade["RADVAL_"+partid];
@@ -4028,6 +4036,8 @@
 sub csvupload_javascript_reverse_associate {
     my $error1=&mt('You need to specify the username or the student/employee ID');
     my $error2=&mt('You need to specify at least one grading field');
+  &js_escape(\$error1);
+  &js_escape(\$error2);
   return(<<ENDPICK);
   function verify(vf) {
     var foundsomething=0;
@@ -4068,6 +4078,8 @@
 sub csvupload_javascript_forward_associate {
     my $error1=&mt('You need to specify the username or the student/employee ID');
     my $error2=&mt('You need to specify at least one grading field');
+  &js_escape(\$error1);
+  &js_escape(\$error2);
   return(<<ENDPICK);
   function verify(vf) {
     var foundsomething=0;
@@ -4176,6 +4188,7 @@
 
 sub checkforfile_js {
     my $alertmsg = &mt('Please use the browse button to select a file from your local directory.');
+    &js_escape(\$alertmsg);
     my $result = &Apache::lonhtmlcommon::scripttag(<<CSVFORMJS);
     function checkUpload(formname) {
 	if (formname.upfile.value == "") {
@@ -4445,6 +4458,7 @@
     my ($request,$symb) = @_;
 
     my $alertmsg = &mt('Please select the student you wish to grade.');
+    &js_escape(\$alertmsg);
     $request->print(&Apache::lonhtmlcommon::scripttag(<<LISTJAVASCRIPT));
 
 function checkPickOne(formname) {
@@ -5482,10 +5496,12 @@
     my $default_form_data=&defaultFormData($symb);
     my $cdom= $env{'course.'.$env{'request.course.id'}.'.domain'};
     my $cnum= $env{'course.'.$env{'request.course.id'}.'.num'};
+    my $alertmsg = &mt('Please use the browse button to select a file from your local directory.');
+    &js_escape(\$alertmsg);
     $r->print(&Apache::lonhtmlcommon::scripttag('
     function checkUpload(formname) {
 	if (formname.upfile.value == "") {
-	    alert("'.&mt('Please use the browse button to select a file from your local directory.').'");
+	    alert("'.$alertmsg.'");
 	    return false;
 	}
 	formname.submit();
@@ -7472,6 +7488,7 @@
     my (@ansnums) = @_;
     my $ansnumstr = join('","', at ansnums);
     my $warning = &mt("A bubble or 'No bubble' selection has not been made for one or more lines.");
+    &js_escape(\$warning);
     my $output = &Apache::lonhtmlcommon::scripttag((<<ENDSCRIPT));
 function verify_bubble_radio(form) {
     var ansnumArray = new Array ("$ansnumstr");
@@ -8662,7 +8679,9 @@
                        ('&nbsp'x2).&mt('(shows course personnel)'); 
     my $default_form_data=&defaultFormData($symb);
     my $nofile_alert = &mt('Please use the browse button to select a file from your local directory.');
+    &js_escape(\$nofile_alert);
     my $nocourseid_alert = &mt("Please use the 'Select Course' link to open a separate window where you can search for a course to which a file can be uploaded.");
+    &js_escape(\$nocourseid_alert);
     $r->print(&Apache::lonhtmlcommon::scripttag('
     function checkUpload(formname) {
 	if (formname.upfile.value == "") {
Index: loncom/imspackages/imsimport.pm
diff -u loncom/imspackages/imsimport.pm:1.46 loncom/imspackages/imsimport.pm:1.47
--- loncom/imspackages/imsimport.pm:1.46	Thu Dec 11 01:07:38 2014
+++ loncom/imspackages/imsimport.pm	Tue Jun  9 21:22:51 2015
@@ -1,6 +1,6 @@
 # The LearningOnline Network with CAPA
 # 
-# $Id: imsimport.pm,v 1.46 2014/12/11 01:07:38 raeburn Exp $
+# $Id: imsimport.pm,v 1.47 2015/06/09 21:22:51 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -57,22 +57,26 @@
     my $end_page = 
 	&Apache::loncommon::end_page({'js_ready' => 1,});
 
-    my %lt = &Apache::lonlocal::texthash( 
+    my %js_lt = &Apache::lonlocal::texthash( 
                ddir => 'You must choose a destination directory for the import',
                cmss => 'You must choose the Course Management System from which the IMS package was exported',
+             );
+    my %html_lt = &Apache::lonlocal::texthash( 
                loca => 'Location:',
                newd => 'New Directory',
                nndi => 'Enter the name of the new directory where you will store the contents of your IMS package.',
                go => 'Go', 
              );
+    &js_escape(\%js_lt);
+    &html_escape(\%html_lt);
     return <<"END_OF_ONE";
 function verify() {
  if ((document.forms.$formname.newdir.value == '')  || (!document.forms.$formname.newdir.value)) {
-   alert('$lt{'ddir'}')
+   alert('$js_lt{'ddir'}')
    return false
  }
  if (document.forms.$formname.source.selectedIndex == 0) {
-   alert('$lt{'cmss'}');
+   alert('$js_lt{'cmss'}');
    return false
  }
  return true
@@ -92,15 +96,15 @@
   newWindow.document.write("\\n<img border='0' src='/adm/lonInterFace/author.jpg' alt='[Author Header]' />\\n")
   newWindow.document.write("<table border='0' cellspacing='0' cellpadding='0' width='600'>\\n")
   newWindow.document.write("<tr><td width='2'> </td><td width='3'> </td>\\n")
-  newWindow.document.write("<td><h3>$lt{'loca'} <tt>$fullpath</tt></h3><h3>$lt{'newd'}</h3></td></tr>\\n")
+  newWindow.document.write("<td><h3>$html_lt{'loca'} <tt>$fullpath</tt></h3><h3>$html_lt{'newd'}</h3></td></tr>\\n")
   newWindow.document.write("<tr><td width='2'> </td><td width='3'> </td>\\n")
   newWindow.document.write("<td><form name='fileaction' action='/adm/cfile' method='post'>\\n")
-  newWindow.document.write("$lt{'nndi'}<br /><br />")
+  newWindow.document.write("$html_lt{'nndi'}<br /><br />")
   newWindow.document.write("<input type='hidden' name='filename' value='$fullpath' />")
   newWindow.document.write("<input type='hidden' name='action' value='newdir' />")
   newWindow.document.write("<input type='hidden' name='callingmode' value='imsimport' />")
   newWindow.document.write("$fullpath<input type='text' name='newfilename' value='' />")
-  newWindow.document.write("<input type='button' value='$lt{'go'}' onclick='document.fileaction.submit();' />")
+  newWindow.document.write("<input type='button' value='$html_lt{'go'}' onclick='document.fileaction.submit();' />")
   newWindow.document.write("</td></tr>\\n")
   newWindow.document.write("</table>")
   newWindow.document.write('$end_page')
@@ -133,7 +137,7 @@
     $course_list = '"'.join('","', at crslist).'"';
     $$numcrs = @crslist;
 
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                   sel    => 'Please select',
                   impto  => 'Import topics only',
                   imptpa => 'Import topics + posts (with author)',
@@ -147,6 +151,7 @@
                   errte  => 'You must select a target course when importing enrollment information.',
                   errcc  => 'You must check at least one Content Type.',
        );
+    &js_escape(\%js_lt);
     return <<"END_OF_TWO";
 
 function checkCourse() {
@@ -195,7 +200,7 @@
     step2Form.targetcourse.length = 0
     if (call == 'add') {
         step2Form.targetcourse.length = 0
-        step2Form.targetcourse.options[0] = new Option("$lt{'sel'}","0",true,true)
+        step2Form.targetcourse.options[0] = new Option("$js_lt{'sel'}","0",true,true)
         for (var i=0; i<courseID_array.length; i++) {
             step2Form.targetcourse.options[i+1] = new Option(courseTitle_array[i],courseID_array[i],false,false)
         }
@@ -215,22 +220,22 @@
   opForm.elements[menu].length = 0
   if (opForm.elements[itemnum*2].checked == true) {
     if (caller == "board") {
-      opForm.elements[menu].options[0] = new Option("$lt{'sel'}","-1",true,true)
-      opForm.elements[menu].options[1] = new Option("$lt{'impto'}","topics",true,true)
-      opForm.elements[menu].options[2] = new Option("$lt{'imptpa'}","allpost",true,true)
-      opForm.elements[menu].options[3] = new Option("$lt{'imptpn'}","allanon",true,true)
+      opForm.elements[menu].options[0] = new Option("$js_lt{'sel'}","-1",true,true)
+      opForm.elements[menu].options[1] = new Option("$js_lt{'impto'}","topics",true,true)
+      opForm.elements[menu].options[2] = new Option("$js_lt{'imptpa'}","allpost",true,true)
+      opForm.elements[menu].options[3] = new Option("$js_lt{'imptpn'}","allanon",true,true)
     }
     else { 
       if (caller == "users") {
         opForm.elements[menu].length = 0
-        opForm.elements[menu].options[0] = new Option("$lt{'sel'}","-1",true,true)
-        opForm.elements[menu].options[1] = new Option("$lt{'enrst'}","students",true,true)
-        opForm.elements[menu].options[2] = new Option("$lt{'enrall'}","all",true,true)
+        opForm.elements[menu].options[0] = new Option("$js_lt{'sel'}","-1",true,true)
+        opForm.elements[menu].options[1] = new Option("$js_lt{'enrst'}","students",true,true)
+        opForm.elements[menu].options[2] = new Option("$js_lt{'enrall'}","all",true,true)
       }
     }
   }
   else {
-    opForm.elements[menu].options[0] = new Option("$lt{'notreq'}","0",true,true)
+    opForm.elements[menu].options[0] = new Option("$js_lt{'notreq'}","0",true,true)
   }
   opForm.elements[menu].selectedIndex = 0
   if (numCrs > 0) {
@@ -248,7 +253,7 @@
       totcheck ++
       if (opForm.elements[2*i].name == "board") { 
         if (opForm.elements[2*i+1].selectedIndex == 0) {     
-          alert("$lt{'errao'}")
+          alert("$js_lt{'errao'}")
           return false
         }
         if (numCrs == 0) {
@@ -257,14 +262,14 @@
         }
         else {
           if (opForm.targetcourse.selectedIndex == 0) {
-            alert("$lt{'errtd'}")
+            alert("$js_lt{'errtd'}")
             return false
           }
         }
       }
       if (opForm.elements[2*i].name == "users") {
         if (opForm.elements[2*i+1].selectedIndex == 0) {     
-          alert("$lt{'errap'}")
+          alert("$js_lt{'errap'}")
           return false
         }
         if (numCrs == 0) {
@@ -273,7 +278,7 @@
         }
         else {
           if (opForm.targetcourse.selectedIndex == 0) {
-            alert("$lt{'errte'}")
+            alert("$js_lt{'errte'}")
             return false
           }
         }
@@ -281,7 +286,7 @@
     }
   }
   if (totcheck == 0) {
-    alert("$lt{'errcc'}");
+    alert("$js_lt{'errcc'}");
     return false
   }
   return true
Index: loncom/interface/coursecatalog.pm
diff -u loncom/interface/coursecatalog.pm:1.87 loncom/interface/coursecatalog.pm:1.88
--- loncom/interface/coursecatalog.pm:1.87	Tue May 19 18:07:35 2015
+++ loncom/interface/coursecatalog.pm	Tue Jun  9 21:22:55 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler for displaying the course catalog interface
 #
-# $Id: coursecatalog.pm,v 1.87 2015/05/19 18:07:35 raeburn Exp $
+# $Id: coursecatalog.pm,v 1.88 2015/06/09 21:22:55 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -295,6 +295,7 @@
                 if (!$deeper) {
                     $alert = &mt('Choose a category to display');
                 }
+                &js_escape(\$alert);
                 $catjs .= <<ENDJS;
 function check_selected() {
     if (document.coursecats.$selitem.options[document.coursecats.$selitem.selectedIndex].value == "") {
Index: loncom/interface/courseprefs.pm
diff -u loncom/interface/courseprefs.pm:1.71 loncom/interface/courseprefs.pm:1.72
--- loncom/interface/courseprefs.pm:1.71	Thu May 21 23:26:35 2015
+++ loncom/interface/courseprefs.pm	Tue Jun  9 21:22:55 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to set configuration settings for a course
 #
-# $Id: courseprefs.pm,v 1.71 2015/05/21 23:26:35 raeburn Exp $
+# $Id: courseprefs.pm,v 1.72 2015/06/09 21:22:55 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -2430,6 +2430,7 @@
         } else {
             $alert = &mt("Use 'Save' in the main window to save course categories");
         }
+        &js_escape(\$alert);
         $catwin_js = <<ENDSCRIPT;
 <script type="text/javascript">
 
Index: loncom/interface/createaccount.pm
diff -u loncom/interface/createaccount.pm:1.69 loncom/interface/createaccount.pm:1.70
--- loncom/interface/createaccount.pm:1.69	Fri Jan  9 15:41:49 2015
+++ loncom/interface/createaccount.pm	Tue Jun  9 21:22:55 2015
@@ -4,7 +4,7 @@
 # kerberos, or SSO) or an e-mail address. Requests to use an e-mail address as
 # username may be processed automatically, or may be queued for approval.
 #
-# $Id: createaccount.pm,v 1.69 2015/01/09 15:41:49 raeburn Exp $
+# $Id: createaccount.pm,v 1.70 2015/06/09 21:22:55 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -389,6 +389,7 @@
     }
     if (@required) {
         my $missprompt = &mt('One or more required fields are currently blank.');
+        &js_escape(\$missprompt);
         my $reqstr = join("','", at required);
         $requiredchk = <<"ENDCHK";
                 var requiredfields = new Array('$reqstr');
@@ -452,8 +453,10 @@
 sub javascript_checkpass {
     my ($now,$context) = @_;
     my $nopass = &mt('You must enter a password.');
-    my $mismatchpass = &mt('The passwords you entered did not match.').'\\n'.
+    my $mismatchpass = &mt('The passwords you entered did not match.')."\n".
                        &mt('Please try again.'); 
+    &js_escape(\$nopass);
+    &js_escape(\$mismatchpass);
     my $js = <<"ENDSCRIPT";
 <script type="text/javascript">
 // <![CDATA[
@@ -487,18 +490,19 @@
 }
 
 sub javascript_validmail {
-    my %lt = &Apache::lonlocal::texthash (
+    my %js_lt = &Apache::lonlocal::texthash (
                email => 'The e-mail address you entered',
                notv  => 'is not a valid e-mail address',
     );
     my $output =  "\n".'<script type="text/javascript">'."\n".
                   '// <![CDATA['."\n".
                   &Apache::lonhtmlcommon::javascript_valid_email()."\n";
+    &js_escape(\%js_lt);
     $output .= <<"ENDSCRIPT";
 function validate_email(client) {
     field = client.uname;
     if (validmail(field) == false) {
-        alert("$lt{'email'}: "+field.value+" $lt{'notv'}.");
+        alert("$js_lt{'email'}: "+field.value+" $js_lt{'notv'}.");
         return false;
     }
     return true;
Index: loncom/interface/domainprefs.pm
diff -u loncom/interface/domainprefs.pm:1.264 loncom/interface/domainprefs.pm:1.265
--- loncom/interface/domainprefs.pm:1.264	Thu May 21 22:59:16 2015
+++ loncom/interface/domainprefs.pm	Tue Jun  9 21:22:55 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to set domain-wide configuration settings
 #
-# $Id: domainprefs.pm,v 1.264 2015/05/21 22:59:16 raeburn Exp $
+# $Id: domainprefs.pm,v 1.265 2015/06/09 21:22:55 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -5486,7 +5486,10 @@
     }
     my $instcode_reserved = &mt('The name: [_1] is a reserved category.','"instcode"');
     my $communities_reserved = &mt('The name: [_1] is a reserved category.','"communities"');
-    my $choose_again = '\\n'.&mt('Please use a different name for the new top level category.'); 
+    my $choose_again = "\n".&mt('Please use a different name for the new top level category.'); 
+    &js_escape(\$instcode_reserved);
+    &js_escape(\$communities_reserved);
+    &js_escape(\$choose_again);
     $output = <<"ENDSCRIPT";
 <script type="text/javascript">
 // <![CDATA[
Index: loncom/interface/loncommon.pm
diff -u loncom/interface/loncommon.pm:1.1221 loncom/interface/loncommon.pm:1.1222
--- loncom/interface/loncommon.pm:1.1221	Thu May 21 23:40:09 2015
+++ loncom/interface/loncommon.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # a pile of common routines
 #
-# $Id: loncommon.pm,v 1.1221 2015/05/21 23:40:09 raeburn Exp $
+# $Id: loncommon.pm,v 1.1222 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -7802,6 +7802,7 @@
                                         $newurl .= '&origurl='.$requrl;
                                     }
                                 }
+                                &js_escape(\$msg);
                                 $result.=<<OFFLOAD
 <meta http-equiv="pragma" content="no-cache" />
 <script type="text/javascript">
@@ -9536,7 +9537,7 @@
         }
         $srchterm = $srch->{'srchterm'};
     }
-    my %lt=&Apache::lonlocal::texthash(
+    my %html_lt=&Apache::lonlocal::texthash(
                     'usr'       => 'Search criteria',
                     'doma'      => 'Domain/institution to search',
                     'uname'     => 'username',
@@ -9549,6 +9550,8 @@
                     'exact'     => 'is',
                     'contains'  => 'contains',
                     'begins'    => 'begins with',
+                                       );
+    my %js_lt=&Apache::lonlocal::texthash(
                     'youm'      => "You must include some text to search for.",
                     'thte'      => "The text you are searching for must contain at least two characters when using a 'begins' type search.",
                     'thet'      => "The text you are searching for must contain at least three characters when using a 'contains' type search.",
@@ -9558,6 +9561,8 @@
                     'whse'      => "When searching by last,first you must include at least one character in the first name.",
                      'thfo'     => "The following need to be corrected before the search can be run:",
                                        );
+    &html_escape(\%html_lt);
+    &js_escape(\%js_lt);
     my $domform = &select_dom_form($currdom,'srchdomain',1,1);
     my $srchinsel = ' <select name="srchin">';
 
@@ -9572,10 +9577,10 @@
         next if ($option eq 'crs' && !$env{'request.course.id'});
         if ($curr_selected{'srchin'} eq $option) {
             $srchinsel .= ' 
-   <option value="'.$option.'" selected="selected">'.$lt{$option}.'</option>';
+   <option value="'.$option.'" selected="selected">'.$html_lt{$option}.'</option>';
         } else {
             $srchinsel .= '
-   <option value="'.$option.'">'.$lt{$option}.'</option>';
+   <option value="'.$option.'">'.$html_lt{$option}.'</option>';
         }
     }
     $srchinsel .= "\n  </select>\n";
@@ -9584,10 +9589,10 @@
     foreach my $option ('lastname','lastfirst','uname') {
         if ($curr_selected{'srchby'} eq $option) {
             $srchbysel .= '
-   <option value="'.$option.'" selected="selected">'.$lt{$option}.'</option>';
+   <option value="'.$option.'" selected="selected">'.$html_lt{$option}.'</option>';
         } else {
             $srchbysel .= '
-   <option value="'.$option.'">'.$lt{$option}.'</option>';
+   <option value="'.$option.'">'.$html_lt{$option}.'</option>';
          }
     }
     $srchbysel .= "\n  </select>\n";
@@ -9596,10 +9601,10 @@
     foreach my $option ('begins','contains','exact') {
         if ($curr_selected{'srchtype'} eq $option) {
             $srchtypesel .= '
-   <option value="'.$option.'" selected="selected">'.$lt{$option}.'</option>';
+   <option value="'.$option.'" selected="selected">'.$html_lt{$option}.'</option>';
         } else {
             $srchtypesel .= '
-   <option value="'.$option.'">'.$lt{$option}.'</option>';
+   <option value="'.$option.'">'.$html_lt{$option}.'</option>';
         }
     }
     $srchtypesel .= "\n  </select>\n";
@@ -9684,46 +9689,46 @@
 
     if (srchterm == "") {
         checkok = 0;
-        msg += "$lt{'youm'}\\n";
+        msg += "$js_lt{'youm'}\\n";
     }
 
     if (srchtype== 'begins') {
         if (srchterm.length < 2) {
             checkok = 0;
-            msg += "$lt{'thte'}\\n";
+            msg += "$js_lt{'thte'}\\n";
         }
     }
 
     if (srchtype== 'contains') {
         if (srchterm.length < 3) {
             checkok = 0;
-            msg += "$lt{'thet'}\\n";
+            msg += "$js_lt{'thet'}\\n";
         }
     }
     if (srchin == 'instd') {
         if (srchdomain == '') {
             checkok = 0;
-            msg += "$lt{'yomc'}\\n";
+            msg += "$js_lt{'yomc'}\\n";
         }
     }
     if (srchin == 'dom') {
         if (srchdomain == '') {
             checkok = 0;
-            msg += "$lt{'ymcd'}\\n";
+            msg += "$js_lt{'ymcd'}\\n";
         }
     }
     if (srchby == 'lastfirst') {
         if (srchterm.indexOf(",") == -1) {
             checkok = 0;
-            msg += "$lt{'whus'}\\n";
+            msg += "$js_lt{'whus'}\\n";
         }
         if (srchterm.indexOf(",") == srchterm.length -1) {
             checkok = 0;
-            msg += "$lt{'whse'}\\n";
+            msg += "$js_lt{'whse'}\\n";
         }
     }
     if (checkok == 0) {
-        alert("$lt{'thfo'}\\n"+msg);
+        alert("$js_lt{'thfo'}\\n"+msg);
         return;
     }
     if (checkok == 1) {
@@ -9741,10 +9746,10 @@
 END_BLOCK
 
     $output .= &Apache::lonhtmlcommon::start_pick_box().
-               &Apache::lonhtmlcommon::row_title($lt{'doma'}).
+               &Apache::lonhtmlcommon::row_title($html_lt{'doma'}).
                $domform.
                &Apache::lonhtmlcommon::row_closure().
-               &Apache::lonhtmlcommon::row_title($lt{'usr'}).
+               &Apache::lonhtmlcommon::row_title($html_lt{'usr'}).
                $srchbysel.
                $srchtypesel. 
                '<input type="text" size="15" name="srchterm" value="'.$srchterm.'" />'.
Index: loncom/interface/lonconfigsettings.pm
diff -u loncom/interface/lonconfigsettings.pm:1.30 loncom/interface/lonconfigsettings.pm:1.31
--- loncom/interface/lonconfigsettings.pm:1.30	Thu May 21 23:26:35 2015
+++ loncom/interface/lonconfigsettings.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to set domain-wide configuration settings
 #
-# $Id: lonconfigsettings.pm,v 1.30 2015/05/21 23:26:35 raeburn Exp $
+# $Id: lonconfigsettings.pm,v 1.31 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -75,6 +75,7 @@
                                                         \@code_order);
                 if (@code_order) {
                    my $noinstcodestr = &mt('You indicated cloning based on category, but did not select any categories.');
+                   &js_escape(\$noinstcodestr);
                    $instcode_check = <<"ENDSCRIPT";
     if (formname == document.display) {
         if (formname.cloners_instcode.length) {
@@ -118,6 +119,7 @@
         }
     }
     my $alert = &mt('You must select at least one functionality type to display.');
+    &js_escape(\$alert);
     my $js = '
 <script type="text/javascript">
 // <![CDATA[
Index: loncom/interface/loncourserespicker.pm
diff -u loncom/interface/loncourserespicker.pm:1.12 loncom/interface/loncourserespicker.pm:1.13
--- loncom/interface/loncourserespicker.pm:1.12	Thu Apr  9 17:57:05 2015
+++ loncom/interface/loncourserespicker.pm	Tue Jun  9 21:22:56 2015
@@ -1,6 +1,6 @@
 # The LearningOnline Network
 #
-# $Id: loncourserespicker.pm,v 1.12 2015/04/09 17:57:05 raeburn Exp $
+# $Id: loncourserespicker.pm,v 1.13 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -592,6 +592,9 @@
         my $blankmsg = &mt('An item selected has no filename set in the "Save as ..." column.');
         my $dupmsg = &mt('Items selected for copying need unique filenames in the "Save as ..." column.');
         my $homemsg = &mt('An Authoring Space needs to be selected.');
+        &js_escape(\$blankmsg);
+        &js_escape(\$dupmsg);
+        &js_escape(\$homemsg);
         $scripttag .= <<"EXTRA";
 
 function checkUnique(form,field) {
Index: loncom/interface/loncreatecourse.pm
diff -u loncom/interface/loncreatecourse.pm:1.157 loncom/interface/loncreatecourse.pm:1.158
--- loncom/interface/loncreatecourse.pm:1.157	Fri Feb 28 19:20:06 2014
+++ loncom/interface/loncreatecourse.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Create a course
 #
-# $Id: loncreatecourse.pm,v 1.157 2014/02/28 19:20:06 bisitz Exp $
+# $Id: loncreatecourse.pm,v 1.158 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -133,6 +133,8 @@
     } else {
         my $title_alert = &mt('A Community title is required');
         my $coord_alert = &mt('The username of the Coordinator is required');
+        &js_escape(\$title_alert);
+        &js_escape(\$coord_alert);
         $javascript_validations = qq|
 function validate(formname) {
     if (formname.title == '') {
Index: loncom/interface/loncreateuser.pm
diff -u loncom/interface/loncreateuser.pm:1.404 loncom/interface/loncreateuser.pm:1.405
--- loncom/interface/loncreateuser.pm:1.404	Thu Dec 11 01:20:50 2014
+++ loncom/interface/loncreateuser.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Create a user
 #
-# $Id: loncreateuser.pm,v 1.404 2014/12/11 01:20:50 raeburn Exp $
+# $Id: loncreateuser.pm,v 1.405 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -5544,6 +5544,7 @@
         butn => 'but no user types have been checked.',
         wilf => "Please uncheck 'activate' or check at least one type.",
     );
+    &js_escape(\%alerts);
     my $selfenroll_js = <<"ENDSCRIPT";
 function update_types(caller,num) {
     var delidx = getIndexByName('selfenroll_delete');
Index: loncom/interface/londocs.pm
diff -u loncom/interface/londocs.pm:1.593 loncom/interface/londocs.pm:1.594
--- loncom/interface/londocs.pm:1.593	Mon Mar 23 12:51:26 2015
+++ loncom/interface/londocs.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Documents
 #
-# $Id: londocs.pm,v 1.593 2015/03/23 12:51:26 droeschl Exp $
+# $Id: londocs.pm,v 1.594 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -1353,29 +1353,34 @@
 }
 
 sub paste_popup_js {
-    my %lt = &Apache::lonlocal::texthash(
+    my %html_js_lt = &Apache::lonlocal::texthash(
                                           show => 'Show Options',
                                           hide => 'Hide Options',
+                                        );
+    my %js_lt = &Apache::lonlocal::texthash(
                                           none => 'No items selected from clipboard.',
                                         );
+    &html_escape(\%html_js_lt);
+    &js_escape(\%html_js_lt);
+    &js_escape(\%js_lt);
     return <<"END";
 
 function showPasteOptions(suffix) {
     document.getElementById('pasteoptions_'+suffix).style.display='block';
-    document.getElementById('pasteoptionstext_'+suffix).innerHTML = '    <a href="javascript:hidePasteOptions(\\''+suffix+'\\');" class="LC_menubuttons_link">$lt{'hide'}</a>';
+    document.getElementById('pasteoptionstext_'+suffix).innerHTML = '    <a href="javascript:hidePasteOptions(\\''+suffix+'\\');" class="LC_menubuttons_link">$html_js_lt{'hide'}</a>';
     return;
 }
 
 function hidePasteOptions(suffix) {
     document.getElementById('pasteoptions_'+suffix).style.display='none';
-    document.getElementById('pasteoptionstext_'+suffix).innerHTML ='    <a href="javascript:showPasteOptions(\\''+suffix+'\\')" class="LC_menubuttons_link">$lt{'show'}</a>';
+    document.getElementById('pasteoptionstext_'+suffix).innerHTML ='    <a href="javascript:showPasteOptions(\\''+suffix+'\\')" class="LC_menubuttons_link">$html_js_lt{'show'}</a>';
     return;
 }
 
 function showOptions(caller,suffix) {
     if (document.getElementById('pasteoptionstext_'+suffix)) {
         if (caller.checked) {
-            document.getElementById('pasteoptionstext_'+suffix).innerHTML ='    <a href="javascript:showPasteOptions(\\''+suffix+'\\')" class="LC_menubuttons_link">$lt{'show'}</a>';
+            document.getElementById('pasteoptionstext_'+suffix).innerHTML ='    <a href="javascript:showPasteOptions(\\''+suffix+'\\')" class="LC_menubuttons_link">$html_js_lt{'show'}</a>';
         } else {
             document.getElementById('pasteoptionstext_'+suffix).innerHTML ='';
         }
@@ -1404,7 +1409,7 @@
     if (numchk > 0) { 
         return true;
     } else {
-        alert("$lt{'none'}");
+        alert("$js_lt{'none'}");
         return false;
     }
 }
@@ -5794,7 +5799,7 @@
 
 sub editing_js {
     my ($udom,$uname,$supplementalflag) = @_;
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                                           p_mnf => 'Name of New Folder',
                                           t_mnf => 'New Folder',
                                           p_mnp => 'Name of New Page',
@@ -5832,7 +5837,7 @@
                                           noch    => 'No changes to settings specified.',
                                           noac    => 'No actions selected.',
                                         );
-
+    &js_escape(\%js_lt);
     my $crstype = &Apache::loncommon::course_type();
     my $docs_folderpath = &HTML::Entities::encode($env{'environment.internal.'.$env{'request.course.id'}.'.docs_folderpath.folderpath'},'<>&"');
     my $main_container_page;
@@ -5877,7 +5882,7 @@
 
     return <<ENDNEWSCRIPT;
 function makenewfolder(targetform,folderseq) {
-    var foldername=prompt('$lt{"p_mnf"}','$lt{"t_mnf"}');
+    var foldername=prompt('$js_lt{"p_mnf"}','$js_lt{"t_mnf"}');
     if (foldername) {
        targetform.importdetail.value=escape(foldername)+"="+folderseq;
         targetform.submit();
@@ -5885,7 +5890,7 @@
 }
 
 function makenewpage(targetform,folderseq) {
-    var pagename=prompt('$lt{"p_mnp"}','$lt{"t_mnp"}');
+    var pagename=prompt('$js_lt{"p_mnp"}','$js_lt{"t_mnp"}');
     if (pagename) {
         targetform.importdetail.value=escape(pagename)+"="+folderseq;
         targetform.submit();
@@ -5893,7 +5898,7 @@
 }
 
 function makeexamupload() {
-   var title=prompt('$lt{"p_mxu"}');
+   var title=prompt('$js_lt{"p_mxu"}');
    if (title) {
     this.document.forms.newexamupload.importdetail.value=
 	escape(title)+'=/res/lib/templates/examupload.problem';
@@ -5902,7 +5907,7 @@
 }
 
 function makesmppage() {
-   var title=prompt('$lt{"p_msp"}');
+   var title=prompt('$js_lt{"p_msp"}');
    if (title) {
     this.document.forms.newsmppg.importdetail.value=
 	escape(title)+'=/adm/$udom/$uname/new/smppg';
@@ -5911,7 +5916,7 @@
 }
 
 function makewebpage(type) {
-   var title=prompt('$lt{"p_mwp"}');
+   var title=prompt('$js_lt{"p_mwp"}');
    var formname;
    if (type == 'supp') {
        formname = this.document.forms.supwebpage;
@@ -5926,7 +5931,7 @@
 }
 
 function makesmpproblem() {
-   var title=prompt('$lt{"p_msb"}');
+   var title=prompt('$js_lt{"p_msb"}');
    if (title) {
     this.document.forms.newsmpproblem.importdetail.value=
 	escape(title)+'=/res/lib/templates/simpleproblem.problem';
@@ -5935,7 +5940,7 @@
 }
 
 function makedropbox() {
-   var title=prompt('$lt{"p_mdb"}');
+   var title=prompt('$js_lt{"p_mdb"}');
    if (title) {
     this.document.forms.newdropbox.importdetail.value=
         escape(title)+'=/res/lib/templates/DropBox.problem';
@@ -5944,7 +5949,7 @@
 }
 
 function makebulboard() {
-   var title=prompt('$lt{"p_mbb"}');
+   var title=prompt('$js_lt{"p_mbb"}');
    if (title) {
     this.document.forms.newbul.importdetail.value=
 	escape(title)+'=/adm/$udom/$uname/new/bulletinboard';
@@ -5953,20 +5958,20 @@
 }
 
 function makeabout() {
-   var user=prompt("$lt{'p_mab'}");
+   var user=prompt("$js_lt{'p_mab'}");
    if (user) {
        var comp=new Array();
        comp=user.split(':');
        if ((typeof(comp[0])!=undefined) && (typeof(comp[1])!=undefined)) {
 	   if ((comp[0]) && (comp[1])) {
 	       this.document.forms.newaboutsomeone.importdetail.value=
-		   '$lt{"p_mab2"}'+escape(user)+'=/adm/'+comp[1]+'/'+comp[0]+'/aboutme';
+		   '$js_lt{"p_mab2"}'+escape(user)+'=/adm/'+comp[1]+'/'+comp[0]+'/aboutme';
        this.document.forms.newaboutsomeone.submit();
    } else {
-       alert("$lt{'p_mab_alrt1'}");
+       alert("$js_lt{'p_mab_alrt1'}");
    }
 } else {
-   alert("$lt{'p_mab_alrt2'}");
+   alert("$js_lt{'p_mab_alrt2'}");
 }
 }
 }
@@ -6004,11 +6009,11 @@
 
 function makeims(imsform) {
     if ((imsform.uploaddoc.value == '')  || (!imsform.uploaddoc.value)) {
-        alert("$lt{'imsfile'}");
+        alert("$js_lt{'imsfile'}");
         return;
     }
     if (imsform.source.selectedIndex == 0) {
-        alert("$lt{'imscms'}");
+        alert("$js_lt{'imscms'}");
         return;
     }
     newWindow = window.open('', 'IMSimport',"HEIGHT=700,WIDTH=750,scrollbars=yes");
@@ -6016,7 +6021,7 @@
 }
 
 function changename(folderpath,index,oldtitle) {
-var title=prompt('$lt{"p_chn"}',oldtitle);
+var title=prompt('$js_lt{"p_chn"}',oldtitle);
 if (title) {
 this.document.forms.renameform.markcopy.value='';
 this.document.forms.renameform.title.value=title;
@@ -6040,7 +6045,7 @@
         picknumtext = document.getElementById('randompicknum_'+index);
     }
     if (pickitem.checked) {
-        var picknum=prompt('$lt{"rpck"}',picknumitem.value);
+        var picknum=prompt('$js_lt{"rpck"}',picknumitem.value);
         if (picknum == '' || picknum == null) {
             if (caller == 'check') {
                 pickitem.checked=false;
@@ -6228,14 +6233,14 @@
             targetform.markcopy.value=idx+':'+param;
             targetform.copyfolder.value=folder+'.'+container;
             if (param == 'remove') {
-                if (skip_confirm || confirm('$lt{"p_rmr1"}\\n\\n$lt{"p_rmr2a"} "'+oldtitle+'" $lt{"p_rmr2b"}')) {
+                if (skip_confirm || confirm('$js_lt{"p_rmr1"}\\n\\n$js_lt{"p_rmr2a"} "'+oldtitle+'" $js_lt{"p_rmr2b"}')) {
                     targetform.markcopy.value='';
                     targetform.copyfolder.value='';
                     targetform.submit();
                 }
             }
             if (param == 'cut') {
-                if (skip_confirm || confirm('$lt{"p_ctr1a"}\\n$lt{"p_ctr1b"}\\n\\n$lt{"p_ctr2a"} "'+oldtitle+'" $lt{"p_ctr2b"}')) {
+                if (skip_confirm || confirm('$js_lt{"p_ctr1a"}\\n$js_lt{"p_ctr1b"}\\n\\n$js_lt{"p_ctr2a"} "'+oldtitle+'" $js_lt{"p_ctr2b"}')) {
                     targetform.submit();
                     return;
                 }
@@ -6414,7 +6419,7 @@
         }
         document.getElementById('multi'+caller).style.display=disp;
         if (value == 1) {
-            document.getElementById('more'+caller).innerHTML = '  <a href="javascript:toggleCheckUncheck(\\''+caller+'\\',1);" style="text-decoration:none;">$lt{'more'}</a>'; 
+            document.getElementById('more'+caller).innerHTML = '  <a href="javascript:toggleCheckUncheck(\\''+caller+'\\',1);" style="text-decoration:none;">$js_lt{'more'}</a>'; 
         } else {
             document.getElementById('more'+caller).innerHTML = '';
         }
@@ -6440,10 +6445,10 @@
 
 function toggleCheckUncheck(caller,more) {
     if (more == 1) {
-        document.getElementById('more'+caller).innerHTML = '  <a href="javascript:toggleCheckUncheck(\\''+caller+'\\',0);" style="text-decoration:none;">$lt{'less'}</a>';
+        document.getElementById('more'+caller).innerHTML = '  <a href="javascript:toggleCheckUncheck(\\''+caller+'\\',0);" style="text-decoration:none;">$js_lt{'less'}</a>';
         document.getElementById('allfields'+caller).style.display='block';
     } else {
-        document.getElementById('more'+caller).innerHTML = '  <a href="javascript:toggleCheckUncheck(\\''+caller+'\\',1);" style="text-decoration:none;">$lt{'more'}</a>';
+        document.getElementById('more'+caller).innerHTML = '  <a href="javascript:toggleCheckUncheck(\\''+caller+'\\',1);" style="text-decoration:none;">$js_lt{'more'}</a>';
         document.getElementById('allfields'+caller).style.display='none';
     }
     resize_scrollbox('contentscroll','1','1');
@@ -6599,12 +6604,12 @@
         if (numchanges > 0) {
             if ((cutwarnings > 0) || (remwarnings > 0)) {
                 if (remwarnings > 0) {
-                    if (!confirm('$lt{"p_rmr1"}\\n\\n$lt{"p_rmr3a"} '+remwarnings+' $lt{"p_rmr3b"}')) {
+                    if (!confirm('$js_lt{"p_rmr1"}\\n\\n$js_lt{"p_rmr3a"} '+remwarnings+' $js_lt{"p_rmr3b"}')) {
                         return false;
                     }
                 }
                 if (cutwarnings > 0) {
-                    if (!confirm('$lt{"p_ctr1a"}\\n$lt{"p_ctr1b"}\\n\\n$lt{"p_ctr3a"} '+cutwarnings+' $lt{"p_ctr3b"}')) {
+                    if (!confirm('$js_lt{"p_ctr1a"}\\n$js_lt{"p_ctr1b"}\\n\\n$js_lt{"p_ctr3a"} '+cutwarnings+' $js_lt{"p_ctr3b"}')) {
                         return false;
                     }
                 }
@@ -6620,12 +6625,12 @@
         }
     }
     if ((dosettings == 1) && (doactions == 1)) {
-        alert("$lt{'noor'}");
+        alert("$js_lt{'noor'}");
     } else {
         if (dosettings == 1) {
-            alert("$lt{'noch'}");
+            alert("$js_lt{'noch'}");
         } else {
-            alert("$lt{'noac'}");
+            alert("$js_lt{'noac'}");
         }
     }
     return false;
@@ -6740,13 +6745,19 @@
 
 sub dump_switchserver_js {
     my @hosts = @_;
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
         dump => 'Copying content to Authoring Space requires switching server.',
         swit => 'Switch server?',
+    );
+    my %html_js_lt = &Apache::lonlocal::texthash(
+        swit => 'Switch server?',
         duco => 'Copying Content to Authoring Space',
         yone => 'You need to switch to a server housing an Authoring Space for which you are author or co-author.',
         chos => 'Choose server',
     );
+    &js_escape(\%js_lt);
+    &html_escape(\%html_js_lt);
+    &js_escape(\%html_js_lt);
     my $role = $env{'request.role'};
     my $js = <<"ENDSWJS";
 <script type="text/javascript">
@@ -6787,7 +6798,7 @@
 
 function dump_needs_switchserver(url) {
     if (url!='' && url!= null) {
-        if (confirm("$lt{'dump'}\\n$lt{'swit'}")) {
+        if (confirm("$js_lt{'dump'}\\n$js_lt{'swit'}")) {
             go(url);
         }
     }
@@ -6798,13 +6809,13 @@
     newWindow = window.open('','ChooseServer','height=400,width=500,scrollbars=yes')
     newWindow.document.open();
     newWindow.document.writeln('$startpage');
-    newWindow.document.write('<h3>$lt{'duco'}<\\/h3>\\n'+
-       '<p>$lt{'yone'}<\\/p>\\n'+
-       '<div class="LC_left_float"><fieldset><legend>$lt{'chos'}<\\/legend>\\n'+
+    newWindow.document.write('<h3>$html_js_lt{'duco'}<\\/h3>\\n'+
+       '<p>$html_js_lt{'yone'}<\\/p>\\n'+
+       '<div class="LC_left_float"><fieldset><legend>$html_js_lt{'chos'}<\\/legend>\\n'+
        '<form name="setserver" method="post" action="" \\/>\\n'+
        '$hostpicker\\n'+
        '<br \\/><br \\/>\\n'+
-       '<input type="button" name="makeswitch" value="$lt{'swit'}" '+
+       '<input type="button" name="makeswitch" value="$html_js_lt{'swit'}" '+
        'onclick="write_switchserver();" \\/>\\n'+
        '<\\/form><\\/fieldset><\\/div><br clear="all" \\/>\\n');
     newWindow.document.writeln('$endpage');
Index: loncom/interface/lonextresedit.pm
diff -u loncom/interface/lonextresedit.pm:1.7 loncom/interface/lonextresedit.pm:1.8
--- loncom/interface/lonextresedit.pm:1.7	Mon Jan  6 12:52:45 2014
+++ loncom/interface/lonextresedit.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Documents
 #
-# $Id: lonextresedit.pm,v 1.7 2014/01/06 12:52:45 raeburn Exp $
+# $Id: lonextresedit.pm,v 1.8 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -321,10 +321,11 @@
 }
 
 sub extedit_javascript {
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
         invurl  => 'Invalid URL',
         titbl   => 'Title is blank',
     );
+    &js_escape(\%js_lt);
 
     my $urlregexp = <<'ENDREGEXP';
 /^([a-z]([a-z]|\d|\+|-|\.)*):(\/\/(((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:)*@)?((\[(|(v[\da-f]{1,}\.(([a-z]|\d|-|\.|_|~)|[!\$&'\(\)\*\+,;=]|:)+))\])|((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5]))|(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=])*)(:\d*)?)(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*|(\/((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*)?)|((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|!
 @)*)*)|((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)){0})(\?((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|[\uE000-\uF8FF]|\/|\?)*)?(\#((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|\/|\?)*)?$/i
@@ -340,7 +341,7 @@
         String.prototype.trim = function() {return this.replace(\/^\\s+|\\s+$\/g, "");};    }
     var url=extform.exturl.value;
     if (title == null || title.trim()=="") {
-        alert("$lt{'titbl'}");
+        alert("$js_lt{'titbl'}");
         extform.exttitle.focus();
         return;
     }
@@ -353,7 +354,7 @@
             eval("extform.importdetail.value=title+'='+url;extform.submit();");
         }
     } else {
-        alert("$lt{'invurl'}");
+        alert("$js_lt{'invurl'}");
         extform.exturl.focus();
         return;
     }
@@ -379,7 +380,7 @@
         if (regexp.test(url)) {
             openMyModal(url,500,400,'yes');
         } else {
-            alert("$lt{'invurl'}");
+            alert("$js_lt{'invurl'}");
         }
     }
 }
Index: loncom/interface/lonfeedback.pm
diff -u loncom/interface/lonfeedback.pm:1.369 loncom/interface/lonfeedback.pm:1.370
--- loncom/interface/lonfeedback.pm:1.369	Tue Feb 11 18:04:47 2014
+++ loncom/interface/lonfeedback.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Feedback
 #
-# $Id: lonfeedback.pm,v 1.369 2014/02/11 18:04:47 bisitz Exp $
+# $Id: lonfeedback.pm,v 1.370 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -336,12 +336,15 @@
         'aner' => 'An error occurred opening the manifest file.',
         'difo' => 'Discussion for',
         'aerr' => 'An error occurred opening the export file for posting',
+        'discussions' => 'DISCUSSIONS'
+    );
+    my %js_lt = &Apache::lonlocal::texthash(
         'aysu' => 'Are you sure you want to delete this post?',
         'dpwn' => 'Deleted posts will no longer be visible to you and other students',
         'bwco' => 'but will continue to be visible to your instructor',
         'depo' => 'Deleted posts will no longer be visible to you or anyone else.',
-        'discussions' => 'DISCUSSIONS'
     );
+    &js_escape(\%js_lt);
 
     my $currdisp = $lt{'allposts'};
     my $currmark = $lt{'onmark'};
@@ -447,12 +450,12 @@
            prevparm = "&previous="+previous
        }
        if (caller == 'studentdelete') {
-           if (confirm("$lt{'aysu'}\\n$lt{'dpwn'},\\n$lt{'bwco'}")) {
+           if (confirm("$js_lt{'aysu'}\\n$js_lt{'dpwn'},\\n$js_lt{'bwco'}")) {
                document.location.href = "/adm/feedback?hide="+symbparm+prevparm+groupparm
            }
        } else {
            if (caller == 'seeiddelete') {
-               if (confirm("$lt{'aysu'}\\n$lt{'depo'}")) {
+               if (confirm("$js_lt{'aysu'}\\n$js_lt{'depo'}")) {
                    document.location.href = "/adm/feedback?deldisc="+symbparm+prevparm+groupparm
                }
            }
@@ -1500,6 +1503,7 @@
                                     } else {
                                         $novote = &mt('No voting for hidden posts.');
                                     }
+                                    &html_escape(\$novote);
                                     $$discussionitems[$idx].=
                                         '<a href="javascript:alert('."'$novote'".');" style="text-decoration: none;">'.
                                         '<img border="0" src="/res/adm/pages/thumbsup_novote.png" alt="'.$novote.'" /> '.
@@ -1900,6 +1904,7 @@
   my $latexHelp=&Apache::loncommon::helpLatexCheatsheet(undef,undef,1,($env{'form.modal'}?'popup':0));
   my $send=&mt('Send');
   my $alert = &mt('Please select a feedback type.');
+  &js_escape(\$alert);
   my $js= <<END;
 <script type="text/javascript">
 //<!--
@@ -2133,6 +2138,11 @@
         'yhni' => 'You have not indicated that you wish to change any of the discussion settings',
         'ywbr' => 'You will be returned to the previous page if you click OK.'
     );
+    my %js_lt = &Apache::lonlocal::texthash(
+        'yhni' => 'You have not indicated that you wish to change any of the discussion settings',
+        'ywbr' => 'You will be returned to the previous page if you click OK.'
+    );
+    &js_escape(\%js_lt);
 
     my $dispchangeA = $lt{'unread'};
     my $dispchangeB = $lt{'unmark'};
@@ -2226,7 +2236,7 @@
     if (chktotal > 0) { 
         document.modifydisp.submit()
     } else {
-        if(confirm("$lt{'yhni'}. \\n$lt{'ywbr'}"))      {
+        if(confirm("$js_lt{'yhni'}. \\n$js_lt{'ywbr'}"))      {
             if (prev > 0) {
                 location.href = "$feedurl?previous=$previous"
             } else {
Index: loncom/interface/lonhtmlcommon.pm
diff -u loncom/interface/lonhtmlcommon.pm:1.365 loncom/interface/lonhtmlcommon.pm:1.366
--- loncom/interface/lonhtmlcommon.pm:1.365	Thu May 28 12:20:16 2015
+++ loncom/interface/lonhtmlcommon.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # a pile of common html routines
 #
-# $Id: lonhtmlcommon.pm,v 1.365 2015/05/28 12:20:16 raeburn Exp $
+# $Id: lonhtmlcommon.pm,v 1.366 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -2478,7 +2478,7 @@
     if ($totcodes > 0) {
         my $numtitles = @$codetitles;
         if ($numtitles > 0) {
-            $output .= '<label><input type="radio" name="coursepick" value="category" onclick="coursePick(this.form);alert('."'".&mt('Choose categories, from left to right')."'".')" />'.&mt('Pick courses by category:').'</label><br />';
+            $output .= '<label><input type="radio" name="coursepick" value="category" onclick="coursePick(this.form);alert('."'".&html_escape(&mt('Choose categories, from left to right'))."'".')" />'.&mt('Pick courses by category:').'</label><br />';
             $output .= '<table><tr><td>'.$$codetitles[0].'<br />'."\n".
                '<select name="'.$standardnames->[0].
                '" onchange="setPick(this.form);courseSet('."'$$codetitles[0]'".')">'."\n".
@@ -2935,10 +2935,12 @@
 
 sub file_submissionchk_js {
     my ($turninpaths,$multiples) = @_;
-    my $overwritewarn = &mt('File(s) you uploaded for your submission will overwrite existing file(s) submitted for this item').'\\n'.
+    my $overwritewarn = &mt('File(s) you uploaded for your submission will overwrite existing file(s) submitted for this item')."\n".
                       &mt('Continue submission and overwrite the file(s)?');
-    my $delfilewarn = &mt('You have indicated you wish to remove some files previously included in your submission.').'\\n'.
+    &js_escape(\$overwritewarn);
+    my $delfilewarn = &mt('You have indicated you wish to remove some files previously included in your submission.')."\n".
                       &mt('Continue submission with these files removed?');
+    &js_escape(\$delfilewarn);
     my ($turninpathtext,$multtext,$arrayindexofjs);
     if (ref($turninpaths) eq 'HASH') {
         foreach my $key (sort(keys(%{$turninpaths}))) {
@@ -3443,8 +3445,9 @@
 ##############################################
 
 sub javascript_jumpto_resource {
-    my $confirm_switch = &mt("Editing requires switching to the resource's home server.").'\n'.
+    my $confirm_switch = &mt("Editing requires switching to the resource's home server.")."\n".
                          &mt('Switch server?');
+    &js_escape(\$confirm_switch);
     return (<<ENDUTILITY)
 
 function go(url) {
Index: loncom/interface/lonmodifycourse.pm
diff -u loncom/interface/lonmodifycourse.pm:1.77 loncom/interface/lonmodifycourse.pm:1.78
--- loncom/interface/lonmodifycourse.pm:1.77	Fri May 22 21:08:42 2015
+++ loncom/interface/lonmodifycourse.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # handler for DC-only modifiable course settings
 #
-# $Id: lonmodifycourse.pm,v 1.77 2015/05/22 21:08:42 raeburn Exp $
+# $Id: lonmodifycourse.pm,v 1.78 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -1901,6 +1901,8 @@
     } elsif ($phase eq 'setquota') {
         my $invalid = &mt('The quota you entered contained invalid characters.');
         my $alert = &mt('You must enter a number');
+        &js_escape(\$invalid);
+        &js_escape(\$alert);
         my $regexp = '/^\s*(\d+\.?\d*|\.\d+)\s*$/';
         $js .= <<"ENDSCRIPT";
 
@@ -1920,6 +1922,8 @@
     } elsif ($phase eq 'setanon') {
         my $invalid = &mt('The responder threshold you entered is invalid.');
         my $alert = &mt('You must enter a positive integer.');
+        &js_escape(\$invalid);
+        &js_escape(\$alert);
         my $regexp = ' /^\s*\d+\s*$/';
         $js .= <<"ENDSCRIPT";
 
@@ -1945,6 +1949,9 @@
         my $invalid = &mt('The choice entered for disabling the submit button is invalid.');
         my $invalidtimeout = &mt('The timeout you entered for disabling the submit button is invalid.');
         my $alert = &mt('Enter one of: a positive integer, 0 (for no timeout), or leave blank to use domain default');
+        &js_escape(\$invalid);
+        &js_escape(\$invalidtimeout);
+        &js_escape(\$alert);
         my $regexp = ' /^\s*\d+\s*$/';
 
         $js .= <<"ENDSCRIPT"; 
Index: loncom/interface/lonmsgdisplay.pm
diff -u loncom/interface/lonmsgdisplay.pm:1.180 loncom/interface/lonmsgdisplay.pm:1.181
--- loncom/interface/lonmsgdisplay.pm:1.180	Thu Feb 12 21:22:07 2015
+++ loncom/interface/lonmsgdisplay.pm	Tue Jun  9 21:22:56 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Routines for messaging display
 #
-# $Id: lonmsgdisplay.pm,v 1.180 2015/02/12 21:22:07 raeburn Exp $
+# $Id: lonmsgdisplay.pm,v 1.181 2015/06/09 21:22:56 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -120,18 +120,23 @@
 
 sub folderlist {
     my ($folder,$msgstatus) = @_;
-    my %lt = &Apache::lonlocal::texthash(
+    my %html_lt = &Apache::lonlocal::texthash(
                 actn => 'Action',
                 fold => 'Folder',
                 show => 'Show',
                 status => 'Message Status',
                 go   => 'Go',
+
+    );
+    &html_escape(\%html_lt);
+    my %js_lt = &Apache::lonlocal::texthash(
                 nnff => 'New Name for Folder',
                 newn => 'New Name',
                 fmnb => 'Folder may not be renamed as it is a folder provided by the system.',
                 asth => 'Requested name already in use for a system-provided or user-defined folder.',
 
     );
+    &js_escape(\%js_lt);
 
 	# set se lastvisit for the new mail check in the toplevel menu
 	&Apache::lonnet::appenv({'user.mailcheck.lastvisit'=>time});
@@ -179,16 +184,16 @@
         if (targetform.folderaction.options[targetform.folderaction.selectedIndex].value == 'rename') {
             for (var i=0; i<permfolders_keys.length; i++) {
                 if (permfolders_keys[i] == targetform.folder.value) {
-                    alert("'"+permfolders_vals[i]+"' -- $lt{'fmnb'}");
+                    alert("'"+permfolders_vals[i]+"' -- $js_lt{'fmnb'}");
                     return;
                 }
             }
-            var foldername=prompt('$lt{'nnff'}','$lt{'newn'}');
+            var foldername=prompt('$js_lt{'nnff'}','$js_lt{'newn'}');
             if (foldername) {
                 targetform.renamed.value=foldername;
                 for (var i=0; i<allfolders.length; i++) {
                     if (allfolders[i] == foldername) {
-                        alert("'"+foldername+"' $lt{'asth'}");
+                        alert("'"+foldername+"' $js_lt{'asth'}");
                         return;
                     }
                 }
@@ -204,7 +209,7 @@
         if (newname) {
             for (var i=0; i<allfolders.length; i++) {
                 if (allfolders[i] == newname) {
-                    alert("'"+newname+"' -- $lt{'asth'}");
+                    alert("'"+newname+"' -- $js_lt{'asth'}");
                     return;
                 }
             }
@@ -223,21 +228,21 @@
    <legend>'.&mt('Folder Actions').'</legend>
    <table border="0" cellspacing="2" cellpadding="8">
     <tr>
-     <td><b>'.$lt{'fold'}.'</b><br />'."\n".
+     <td><b>'.$html_lt{'fold'}.'</b><br />'."\n".
          &Apache::loncommon::select_form($folder,'folder',\%formhash).'
      </td>
-     <td><b>'.$lt{'show'}.'</b><br />'."\n".
+     <td><b>'.$html_lt{'show'}.'</b><br />'."\n".
          &Apache::loncommon::select_form($env{'form.interdis'},'interdis',
 					 \%show).'
      </td>
-     <td><b>'.$lt{'status'}.'</b><br />'."\n".
+     <td><b>'.$html_lt{'status'}.'</b><br />'."\n".
        &Apache::loncommon::select_form($msgstatus,'msgstatus',\%statushash).'
      </td>
      <td style="padding-right: 40px;">
-         <b>'.$lt{'actn'}.'</b><br />'."\n".'
+         <b>'.$html_lt{'actn'}.'</b><br />'."\n".'
          <span class="LC_nobreak">'.
          &Apache::loncommon::select_form('view','folderaction',\%actions).
-         ' <input type="button" value="'.$lt{'go'}.
+         ' <input type="button" value="'.$html_lt{'go'}.
          '" onclick="javascript:folder_choice(this.form,'."'change'".');" />
          </span>
      </td>
@@ -245,7 +250,7 @@
          <b>'.&mt('New Folder').'</b><br />'."\n".'
          <span class="LC_nobreak">
          <input type="text" size="15" name="newfolder" value="" />
-         <input type="button" value="'.$lt{'go'}.
+         <input type="button" value="'.$html_lt{'go'}.
          '" onclick="javascript:folder_choice(this.form,'."'new'".');" />
          </span>
      </td>
@@ -1051,11 +1056,12 @@
     my %setters = ();
     my $numblocked = 0;
     my ($startblock,$endblock) = &Apache::loncommon::blockcheck(\%setters,'com');
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                       sede => 'Select a destination folder to which the messages will be moved.',
                       nome => 'No messages have been selected to apply this action to.',
                       chec => 'Check the checkbox for at least one message.',  
     );
+    &js_escape(\%js_lt);
     my $jscript = &Apache::loncommon::check_uncheck_jscript();
     $r->print(<<ENDDISHEADER);
 <script type="text/javascript">
@@ -1066,7 +1072,7 @@
         document.disall.markedaction.value = document.disall.checkedaction.options[document.disall.checkedaction.selectedIndex].value;
         if (document.disall.checkedaction.options[document.disall.checkedaction.selectedIndex].value == 'markedmove') {
             if (document.disall.movetofolder.options[document.disall.movetofolder.selectedIndex].value == "") {
-                alert("$lt{'sede'}");
+                alert("$js_lt{'sede'}");
                 return;
             } 
         }
@@ -1083,7 +1089,7 @@
             }
         }   
         if (checktotal == 0) {
-            alert("$lt{'nome'}\\n$lt{'chec'}");
+            alert("$js_lt{'nome'}\\n$js_lt{'chec'}");
             return;
         }
         document.disall.submit();
Index: loncom/interface/lonpdfupload.pm
diff -u loncom/interface/lonpdfupload.pm:1.24 loncom/interface/lonpdfupload.pm:1.25
--- loncom/interface/lonpdfupload.pm:1.24	Fri Dec 12 14:21:22 2014
+++ loncom/interface/lonpdfupload.pm	Tue Jun  9 21:22:57 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # PDF Form Upload Handler
 #
-# $Id: lonpdfupload.pm,v 1.24 2014/12/12 14:21:22 raeburn Exp $
+# $Id: lonpdfupload.pm,v 1.25 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -122,6 +122,7 @@
 sub get_javascripts() {
     
     my $message = &mt('Please choose a PDF-File.');
+    &js_escape(\$message);
 
     # simple test if the upload ends with ".pdf"
     # it's only for giving a message to the user
Index: loncom/interface/lonpopulate.pm
diff -u loncom/interface/lonpopulate.pm:1.82 loncom/interface/lonpopulate.pm:1.83
--- loncom/interface/lonpopulate.pm:1.82	Fri Dec 12 14:30:47 2014
+++ loncom/interface/lonpopulate.pm	Tue Jun  9 21:22:57 2015
@@ -1,5 +1,5 @@
 # automated enrollment configuration handler
-# $Id: lonpopulate.pm,v 1.82 2014/12/12 14:30:47 raeburn Exp $
+# $Id: lonpopulate.pm,v 1.83 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -51,7 +51,7 @@
 sub choose_header {
     my ($action) = @_;
     my $notify_check = '/^note_[0-9]+$/';
-    my %lt = 
+    my %js_lt = 
         &Apache::lonlocal::texthash(
             adds => 'You must select either "Enable" or "Disable" for nightly additions based on classlist changes',
             drop => 'You must select either "Enable" or "Disable" for nightly removals based on classlist changes',
@@ -61,8 +61,9 @@
             ynot => 'You have indicated that you want notification of roster changes messages to be sent, but you have not selected any recipients.',
             atle => 'You must check at least one checkbox, before proceeding to the next page',
     );
-    $lt{'both'} = &mt('You have selected "No" for both addition and removal of students[_1] in the institutional classlist but not in your LON-CAPA course.[_1]','\\n');
-    $lt{'nnot'} = &mt('You have indicated that you do not want notification of roster changes messages to be sent, but [_1] have been checked as recipients.[_2]',"'+totalnote+'",'\\n');
+    $js_lt{'both'} = &mt('You have selected "No" for both addition and removal of students[_1] in the institutional classlist but not in your LON-CAPA course.[_1]',"\n");
+    $js_lt{'nnot'} = &mt('You have indicated that you do not want notification of roster changes messages to be sent, but [_1] have been checked as recipients.[_2]',"'+totalnote+'","\n");
+    &js_escape(\%js_lt);
     
     my $scripttag = <<ENDJSONE;
 <script type="text/javascript" language="JavaScript">
@@ -88,11 +89,11 @@
        }
    }
    if (rad1 == 0) {
-       alert('$lt{'adds'}');
+       alert('$js_lt{'adds'}');
        checker = 0
    }
    if (rad2 == 0) {
-       alert('$lt{'drop'}');
+       alert('$js_lt{'drop'}');
        checker = 0
    }
  }
@@ -116,15 +117,15 @@
          }
      }
      if (rad1 == 0) {
-         alert('$lt{'drop'}');
+         alert('$js_lt{'drop'}');
          checker = 0;
      }
      if (rad2 == 0) {
-         alert('$lt{'ysno'}');
+         alert('$js_lt{'ysno'}');
          checker = 0;
      }
      if (formName.updatedrops[unenrolldis].checked && formName.updateadds[enrolldis].checked ) {
-         alert('$lt{'both'}$lt{'noup'}');
+         alert('$js_lt{'both'}$js_lt{'noup'}');
          checker = 0;
      }
  }
@@ -141,7 +142,7 @@
      }
      if (totalnote > 0) {
 	 if (formName.notify[1].checked == true) {
-	     if (confirm('$lt{'nnot'}$lt{'eras'}')) {
+	     if (confirm('$js_lt{'nnot'}$js_lt{'eras'}')) {
 		 checker = 1;
 	     } else {
 		 checker = 0;
@@ -149,7 +150,7 @@
 	 }
      } else {
 	 if (formName.notify[0].checked == true) {
-	     alert('$lt{'ynot'}');
+	     alert('$js_lt{'ynot'}');
 	     checker = 0;
 	 }
      }
@@ -177,7 +178,7 @@
         document.forms.studentform.state.value = "process";
      }
      if (totcheck == 0) {
-        alert('$lt{'atle'}')
+        alert('$js_lt{'atle'}')
         checker = 0;
      }
  } 
Index: loncom/interface/lonrequestcourse.pm
diff -u loncom/interface/lonrequestcourse.pm:1.88 loncom/interface/lonrequestcourse.pm:1.89
--- loncom/interface/lonrequestcourse.pm:1.88	Mon Jun  8 22:06:52 2015
+++ loncom/interface/lonrequestcourse.pm	Tue Jun  9 21:22:57 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Request a course
 #
-# $Id: lonrequestcourse.pm,v 1.88 2015/06/08 22:06:52 raeburn Exp $
+# $Id: lonrequestcourse.pm,v 1.89 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -768,7 +768,7 @@
 ";
         }
     }
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
         official => 'You are not permitted to request creation of an official course in this domain.',
         unofficial => 'You are not permitted to request creation of an unofficial course in this domain.',
         community => 'You are not permitted to request creation of a community in this domain.',
@@ -776,33 +776,34 @@
         all => 'You must choose a specific course type when making a new course request.',
         allt => '"All types" is not allowed.',
     ); 
+    &js_escape(\%js_lt);
     $js .= <<END;
     if (crschoice == 'official') {
         if (official != 1) {
-            alert("$lt{'official'}");
+            alert("$js_lt{'official'}");
             return false;
         }
     } else {
         if (crschoice == 'unofficial') {
             if (unofficial != 1) {
-                alert("$lt{'unofficial'}");
+                alert("$js_lt{'unofficial'}");
                 return false;
             }
         } else {
             if (crschoice == 'community') {
                 if (community != 1) {
-                    alert("$lt{'community'}");
+                    alert("$js_lt{'community'}");
                     return false;
                 }
             } else {
                 if (crschoice == 'textbook') {
                     if (textbook != 1) {
-                        alert("$lt{'community'}");
+                        alert("$js_lt{'textbook'}");
                         return false;
                     }
                 } else {
                     if (actionchoice == 'new') {
-                        alert('$lt{'all'}'+'\\n'+'$lt{'allt'}');
+                        alert('$js_lt{'all'}'+'\\n'+'$js_lt{'allt'}');
                         return false;
                     }
                 }
@@ -1175,6 +1176,8 @@
     my %alerts = &section_check_alerts();
     my $secname = $alerts{'badsec'};
     my $secnone = $alerts{'reserved'};
+    &js_escape(\$secname);
+    &js_escape(\$secnone);
     my $output = '
 function validateEnrollSections(formname,nextstate) {
     var badsectotal = 0;
@@ -1232,8 +1235,10 @@
 
 sub personnel_lcsec_js {
     my %alerts = &section_check_alerts();
-    my $secname = $alerts{'badsec'}.'\\n'.$alerts{'separate'};
+    my $secname = $alerts{'badsec'}."\n".$alerts{'separate'};
     my $secnone = $alerts{'reserved'};
+    &js_escape(\$secname);
+    &js_escape(\$secnone);
     my $output = '
 function validatePersonnelSections(formname,nextstate) {
     var badsectotal = 0;
@@ -2416,8 +2421,9 @@
 }
 
 sub viewcancel_javascript {
-    my $alert = &mt('Are you sure you want to cancel this request?').'\\n'.
+    my $alert = &mt('Are you sure you want to cancel this request?')."\n".
                 &mt('Your request will be removed.');
+    &js_escape(\$alert);
     return << "ENDJS";
 function nextPage(formname,nextstate) {
     if (confirm('$alert')) {
@@ -3059,19 +3065,20 @@
 
 sub courseinfo_form {
     my ($dom,$formname,$crstype,$next,$description) = @_;
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                 official => 'You must provide a (brief) course description.',
                 community => 'You must provide a (brief) community description.'
              );
-    $lt{'unofficial'} = $lt{'official'};
-    $lt{'textbook'} = $lt{'official'};
+    &js_escape(\%js_lt);
+    $js_lt{'unofficial'} = $js_lt{'official'};
+    $js_lt{'textbook'} = $js_lt{'official'};
     my $js_validate = <<"ENDJS";
 <script type="text/javascript">
 // <![CDATA['
 
 function validateForm() {
     if ((document.$formname.cdescr.value == "")  || (document.$formname.cdescr.value == "undefined")) {
-        alert('$lt{$crstype}');
+        alert('$js_lt{$crstype}');
         return;
     }
     nextPage(document.$formname,'$next');
@@ -4881,13 +4888,14 @@
     my ($numprefab,$numcurrent) = @_;
     return unless (ref($numprefab) eq 'HASH');
     return if (!$numprefab->{'textbooks'} && !$numprefab->{'templates'} && !$numcurrent);
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                  choose   => 'Please select a content option.',
                  textbook => 'Please select a textbook, or choose a different option.',
                  template => 'Please select a template, or choose a different option.',        
                  existing => 'Please select one of your existing courses to copy, or choose a different option.',
                  title    => 'Please enter a course title.',
              );
+    &js_escape(\%js_lt);
     return <<"ENDSCRIPT";
 function cloneChoice() {
     if (document.requestcourse.cloning) {
@@ -4965,7 +4973,7 @@
         var radioLength = document.requestcourse.cloning.length;
         if (radioLength == undefined) {
             if (document.requestcourse.cloning.checked == false) {
-                alert("$lt{'choose'}");
+                alert("$js_lt{'choose'}");
                 return false;
             } else {
                 cloneChoice = document.requestcourse.cloning.value;
@@ -4978,7 +4986,7 @@
                 }
             }
             if (cloneChoice == 0) {
-                alert("$lt{'choose'}");
+                alert("$js_lt{'choose'}");
                 return false;
             }
         }
@@ -5010,12 +5018,12 @@
            }
            if (chosen == 0) {
                if (cloneChoice == 'textbook') {
-                   alert("$lt{'textbook'}");
+                   alert("$js_lt{'textbook'}");
                } else {
                    if (cloneChoice == 'template') {
-                       alert("$lt{'template'}");
+                       alert("$js_lt{'template'}");
                    } else {
-                       alert("$lt{'existing'}");
+                       alert("$js_lt{'existing'}");
                    }
                }
                return false;
@@ -5023,7 +5031,7 @@
         }
     }
     if (document.requestcourse.cdescr.value == '') {
-        alert("$lt{'title'}");
+        alert("$js_lt{'title'}");
         return false;
     }
     return true;
Index: loncom/interface/lonsupportreq.pm
diff -u loncom/interface/lonsupportreq.pm:1.78 loncom/interface/lonsupportreq.pm:1.79
--- loncom/interface/lonsupportreq.pm:1.78	Mon Jan 20 17:25:41 2014
+++ loncom/interface/lonsupportreq.pm	Tue Jun  9 21:22:57 2015
@@ -1,5 +1,5 @@
 #
-# $Id: lonsupportreq.pm,v 1.78 2014/01/20 17:25:41 bisitz Exp $
+# $Id: lonsupportreq.pm,v 1.79 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -116,11 +116,13 @@
     my $sourceurl = $machine.$origurl;
     $server = $machine.&Apache::loncommon::cleanup_html($origurl);
     $server =~ s/\?.*$//;
-    my %lt = &Apache::lonlocal::texthash (
+    my %js_lt = &Apache::lonlocal::texthash (
                   email => 'The e-mail address you entered',
                   notv => 'is not a valid e-mail address',
                   rsub => 'You must include a subject',
                   rdes => 'You must include a description',
+    );
+    my %html_lt = &Apache::lonlocal::texthash (
                   name => 'Name',
                   subm => 'Submit Request',
                   emad => 'Your e-mail address',
@@ -147,18 +149,20 @@
                   fini => 'Finish',
                   clfm => 'Clear Form',
     );
+    &js_escape(\%js_lt);
+    &html_escape(\%html_lt);
     my $scripttag = (<<"END");
 function validate() {
     if (validmail(document.logproblem.email) == false) {
-        alert("$lt{'email'}: "+document.logproblem.email.value+" $lt{'notv'}.");
+        alert("$js_lt{'email'}: "+document.logproblem.email.value+" $js_lt{'notv'}.");
         return;
     }
     if (document.logproblem.subject.value == '') {
-        alert("$lt{'rsub'}.");
+        alert("$js_lt{'rsub'}.");
         return;
     }
     if (document.logproblem.description.value == '') {
-        alert("$lt{'rdes'}.");
+        alert("$js_lt{'rdes'}.");
         return;
     }
     document.logproblem.submit();
@@ -299,7 +303,7 @@
                  &mt('(All fields marked with * are required.)').
                  '</span>'.
                  &Apache::lonhtmlcommon::row_closure().
-                 &Apache::lonhtmlcommon::row_title($lt{'name'},undef,$css[$num])."\n";
+                 &Apache::lonhtmlcommon::row_title($html_lt{'name'},undef,$css[$num])."\n";
     my $fullname = '';
     if ((defined($lastname) && $lastname ne '') && (defined($firstname) && $firstname ne '')) {
         $fullname = "$firstname $lastname"; 
@@ -312,13 +316,13 @@
         }
         $output .= '<input type="text" size="20" name="username" value="'.&HTML::Entities::encode($fullname,'"<>&').'" />'."\n";
     }
-    $output .= '     <input type="button" value="'.$lt{'subm'}.'" onclick="validate()" /> '.
+    $output .= '     <input type="button" value="'.$html_lt{'subm'}.'" onclick="validate()" /> '.
                 &Apache::lonhtmlcommon::row_closure()."\n";
     $num ++;
     $i = $num%2;
     $output .= &Apache::lonhtmlcommon::row_title(
                    '<span title="'.&mt('required').'">'.
-                   $lt{'emad'}.' <span class="LC_info">*</span></span>'
+                   $html_lt{'emad'}.' <span class="LC_info">*</span></span>'
                   ,undef,$css[$i]).
                '<input type="text" size="20" name="email" value="'.
                &HTML::Entities::encode($email,'"<>&').'" /><br />'."\n".
@@ -327,61 +331,61 @@
     $i = $num%2;
     if (($env{'user.name'} =~ /^$match_username$/) && (!$public)) {
         if ($homeserver) { 
-            $output .= &Apache::lonhtmlcommon::row_title($lt{'emac'},undef,$css[$i]).
+            $output .= &Apache::lonhtmlcommon::row_title($html_lt{'emac'},undef,$css[$i]).
                        '<input type="text" size="50" name="cc" value="" /><br />'."\n".
                        &Apache::lonhtmlcommon::row_closure();
             $num ++;
             $i = $num%2;
         }
     }
-    $output .= &Apache::lonhtmlcommon::row_title("$lt{'unme'}/$lt{'doma'}",undef,$css[$i]);
+    $output .= &Apache::lonhtmlcommon::row_title("$html_lt{'unme'}/$html_lt{'doma'}",undef,$css[$i]);
     my $udom_input = '<input type="hidden" name="udom" value="'.
                      &HTML::Entities::encode($udom,'"<>&').'" />'."\n";
     my $uname_input = '<input type="hidden" name="uname" value="'.
                       &HTML::Entities::encode($uname,'"<>&').'" />'."\n"; 
     if (($env{'user.name'} =~ /^$match_username$/) && 
         ($env{'user.domain'} =~ /^$match_domain$/) && (!$public)) {
-        $output .= '<i>'.$lt{'unme'}.'</i>: '.$uname.'  <i>'.$lt{'doma'}.'</i>: '.$udom.$udom_input.$uname_input;
+        $output .= '<i>'.$html_lt{'unme'}.'</i>: '.$uname.'  <i>'.$html_lt{'doma'}.'</i>: '.$udom.$udom_input.$uname_input;
     } else {
         my $udomform = '';
         my $unameform = '';
         if (($env{'user.domain'} =~ /^$match_domain$/) && (!$public)) {
-            $output .= $lt{'entu'};
+            $output .= $html_lt{'entu'};
         } elsif (($env{'user.name'} =~ /^$match_username$/) && (!$public)) { 
-            $output .= $lt{'chdo'};
+            $output .= $html_lt{'chdo'};
         } else {
-            $output .= $lt{'entr'};
+            $output .= $html_lt{'entr'};
         }
         $output .= '<br />'."\n";
         if (!$public) {
             if ($env{'user.domain'} =~ /^$match_domain$/) {
-                $udomform = '<i>'.$lt{'doma'}.'</i>: '.$udom.$udom_input;
+                $udomform = '<i>'.$html_lt{'doma'}.'</i>: '.$udom.$udom_input;
             } elsif ($env{'user.name'} =~ /^$match_username$/) {
-                $unameform = '<i>'.$lt{'unme'}.'</i>: '.$uname.'  '.$uname_input;
+                $unameform = '<i>'.$html_lt{'unme'}.'</i>: '.$uname.'  '.$uname_input;
             }
         }
         if ($udomform eq '') {
-            $udomform = '<i>'.$lt{'doma'}.'</i>: ';
+            $udomform = '<i>'.$html_lt{'doma'}.'</i>: ';
             $udomform .= &Apache::loncommon::select_dom_form($codedom,'udom')."\n";
         }
         if ($unameform eq '') {
-            $unameform= '<i>'.$lt{'unme'}.'</i>: <input type="text" size="20" name="uname" value="'.$uname.'" />  ';
+            $unameform= '<i>'.$html_lt{'unme'}.'</i>: <input type="text" size="20" name="uname" value="'.$uname.'" />  ';
         }
         $output .= $unameform.$udomform;
     }
     $output .= &Apache::lonhtmlcommon::row_closure();
     $num ++;
     $i = $num%2;
-    $output .= &Apache::lonhtmlcommon::row_title("$lt{'urlp'}",undef,$css[$i]).
+    $output .= &Apache::lonhtmlcommon::row_title("$html_lt{'urlp'}",undef,$css[$i]).
                $server."\n".'<input type="hidden" name="sourceurl" value="'.
                &HTML::Entities::encode($sourceurl,'"<>&').'" />'."\n".
                &Apache::lonhtmlcommon::row_closure().
-               &Apache::lonhtmlcommon::row_title("$lt{'phon'}",undef,'LC_evenrow_value').
+               &Apache::lonhtmlcommon::row_title("$html_lt{'phon'}",undef,'LC_evenrow_value').
                '<input type="text" size="15" name="phone" /><br />'."\n".
                &Apache::lonhtmlcommon::row_closure();
     $num ++;
     $i = $num%2; 
-    $output .= &Apache::lonhtmlcommon::row_title("$lt{'crsd'}$details_title",undef,$css[$i]);
+    $output .= &Apache::lonhtmlcommon::row_title("$html_lt{'crsd'}$details_title",undef,$css[$i]);
     if ($cnum) {
         if ($coursecodes{$cnum}) {
             foreach my $item (@codetitles) {
@@ -389,14 +393,14 @@
             }
             $output .= ' <input type="hidden" name="coursecode" value="'.&HTML::Entities::encode($coursecodes{$cnum},'"<>&').'" />'."\n";
         } else {
-            $output .= $lt{'enin'}.': 
+            $output .= $html_lt{'enin'}.': 
                   <input type="text" name="coursecode" size="15" value="" />'."\n";
         }
     } else {
         if ($totcodes > 0) {
             my $numtitles = @codetitles;
             if ($numtitles == 0) {
-                $output .= $lt{'enin'}.': 
+                $output .= $html_lt{'enin'}.': 
                   <input type="text" name="coursecode" size="15" value="" />'."\n";
             } else {
                 my @standardnames = &Apache::loncommon::get_standard_codeitems();
@@ -406,7 +410,7 @@
                 } 
                 $output .= '<table><tr><td>'.$codetitles[0].'<br />'."\n".
                       '<select name="'.$standardnames[0].'" onchange="courseSet('."'$codetitles[0]'".')">'."\n".
-                      ' <option value="-1">'.$lt{'sele'}."</option>\n";
+                      ' <option value="-1">'.$html_lt{'sele'}."</option>\n";
                 my @items = ();
                 my @longitems = ();
                 if ($idlist{$codetitles[0]} =~ /","/) {
@@ -435,7 +439,7 @@
                 for (my $i=1; $i<$numtitles; $i++) {
                     $output .= '<td>'.$codetitles[$i].'<br />'."\n".
                      '<select name="'.$standardnames[$i].'" onchange="courseSet('."'$codetitles[$i]'".')">'."\n".
-                     '<option value="-1"><-'.$lt{'pick'}.' '.$codetitles[$i-1].'</option>'."\n".
+                     '<option value="-1"><-'.$html_lt{'pick'}.' '.$codetitles[$i-1].'</option>'."\n".
                      '</select>'."\n".
                      '</td>'."\n";
                 }
@@ -443,30 +447,30 @@
                 if ($numtitles > 4) {
                     $output .= '<br /><br />'.$codetitles[$numtitles].'<br />'."\n".
                           '<select name="'.$standardnames[$numtitles].'" onchange="courseSet('."'$codetitles[$numtitles]'".')">'."\n".
-                          '<option value="-1"><-'.$lt{'pick'}.' '.$codetitles[$numtitles-1].'</option>'."\n".
+                          '<option value="-1"><-'.$html_lt{'pick'}.' '.$codetitles[$numtitles-1].'</option>'."\n".
                           '</select>'."\n";
                 }
             }
         } else {
-            $output .= $lt{'enin'}.': 
+            $output .= $html_lt{'enin'}.': 
                   <input type="text" name="coursecode" size="15" value="" />'."\n";
         }
     }
     if ($ctitle) {
-        $output .= '<br /><i>'.$lt{'titl'}.'</i>: '.$ctitle.
+        $output .= '<br /><i>'.$html_lt{'titl'}.'</i>: '.$ctitle.
                    '<input type="hidden" name="title" value="'.
                    &HTML::Entities::encode($ctitle,'"<>&').'" />'."\n";
     } else {
-        $output .= '<br />'.$lt{'enct'}.': 
+        $output .= '<br />'.$html_lt{'enct'}.': 
                  <input type="text" name="title" size="25" value="" />'."\n";
     }
     $output .= &Apache::lonhtmlcommon::row_closure();
     $num ++;
     $i = $num%2;
-    $output .= &Apache::lonhtmlcommon::row_title($lt{'secn'},undef,$css[$i]);
+    $output .= &Apache::lonhtmlcommon::row_title($html_lt{'secn'},undef,$css[$i]);
     if ($sectionlist) {
         $output .= "<select name=\"section\"\n>".
-                   "  <option value=\"\" selected=\"selected\">$lt{'sele'}</option>\n";
+                   "  <option value=\"\" selected=\"selected\">$html_lt{'sele'}</option>\n";
         foreach my $id (sort(keys(%groupid))) {
             if ($id eq $groupid{$id} || $groupid{$id} eq '') {
                 $output .= "  <option value=".
@@ -475,7 +479,7 @@
             } else {
                 $output .= "  <option value=".
                            &HTML::Entities::encode($id,'"<>&').
-                           " >$id - ($lt{'lsec'}: $groupid{$id})</option>\n";
+                           " >$id - ($html_lt{'lsec'}: $groupid{$id})</option>\n";
             }
         }
         $output .= "</select>";
@@ -487,13 +491,13 @@
     $i = $num%2; 
     $output .= &Apache::lonhtmlcommon::row_title(
                    '<span title="'.&mt('required').'">'.
-                   $lt{'subj'}.' <span class="LC_info">*</span></span>'
+                   $html_lt{'subj'}.' <span class="LC_info">*</span></span>'
                   ,undef,'LC_oddrow_value').
                '<input type="text" size="40" name="subject" />'."\n".
                &Apache::lonhtmlcommon::row_closure().
                &Apache::lonhtmlcommon::row_title(
                    '<span title="'.&mt('required').'">'.
-                   $lt{'detd'}.' <span class="LC_info">*</span></span>'
+                   $html_lt{'detd'}.' <span class="LC_info">*</span></span>'
                   ,undef,'LC_evenrow_value').
                '<textarea rows="10" cols="45" name="description" style="word-wrap:normal;">'.
                '</textarea>'."\n".
@@ -502,9 +506,9 @@
     $i = $num%2; 
     if (($env{'user.name'} =~ /^$match_username$/) && (!$public)) {
         if ($homeserver) {
-            $output .= &Apache::lonhtmlcommon::row_title($lt{'opfi'},undef,$css[$i]).
+            $output .= &Apache::lonhtmlcommon::row_title($html_lt{'opfi'},undef,$css[$i]).
                        ' <input type="file" name="screenshot" size="20" /><br />'.
-                       "\n".$lt{'uplf'}."\n".
+                       "\n".$html_lt{'uplf'}."\n".
                        &Apache::lonhtmlcommon::row_closure();
             $num ++;
             $i = $num%2;
@@ -525,17 +529,17 @@
             $i = $num%2;
         }
     }
-    $output .= &Apache::lonhtmlcommon::row_title($lt{'fini'},undef,$css[$i]);
+    $output .= &Apache::lonhtmlcommon::row_title($html_lt{'fini'},undef,$css[$i]);
     $output .= <<END;
              <table border="0" cellpadding="8" cellspacing="0">
               <tr>
                <td>
                 <input type="hidden" name="command" value="process" />
-                <input type="button" value="$lt{'subm'}" onclick="validate()" />  
+                <input type="button" value="$html_lt{'subm'}" onclick="validate()" />  
                </td>
                <td> </td>
                <td>
-                <input type="reset" value="$lt{'clfm'}" />
+                <input type="reset" value="$html_lt{'clfm'}" />
                </td>
               </tr>
              </table>
Index: loncom/interface/lonsyllabus.pm
diff -u loncom/interface/lonsyllabus.pm:1.137 loncom/interface/lonsyllabus.pm:1.138
--- loncom/interface/lonsyllabus.pm:1.137	Tue Jun 17 23:22:14 2014
+++ loncom/interface/lonsyllabus.pm	Tue Jun  9 21:22:57 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Syllabus
 #
-# $Id: lonsyllabus.pm,v 1.137 2014/06/17 23:22:14 raeburn Exp $
+# $Id: lonsyllabus.pm,v 1.138 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -580,6 +580,7 @@
         my $checkedstr = "var include = new Array('".join("','", at checked)."');";
         my $uncheckedstr = "var exclude = new Array('".join("','", at unchecked)."');";
         my $invurl = &mt('Invalid URL');
+        &js_escape(\$invurl);
         my $urlregexp = <<'ENDREGEXP';
 /^([a-z]([a-z]|\d|\+|-|\.)*):(\/\/(((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:)*@)?((\[(|(v[\da-f]{1,}\.(([a-z]|\d|-|\.|_|~)|[!\$&'\(\)\*\+,;=]|:)+))\])|((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5]))|(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=])*)(:\d*)?)(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*|(\/((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*)?)|((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|!
 @)*)*)|((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)){0})(\?((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|[\uE000-\uF8FF]|\/|\?)*)?(\#((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|\/|\?)*)?$/i
 ENDREGEXP
@@ -1627,11 +1628,12 @@
 }
 
 sub editbutton_js {
-    my %lt = &Apache::lonlocal::texthash(
+    my %js_lt = &Apache::lonlocal::texthash(
                min    => 'Are you sure you want to delete the contents of the syllabus template?',
                file   => 'Are you sure you want to delete the uploaded syllabus file?',
                noundo => 'This action cannot be reversed.'
              );
+    &js_escape(\%js_lt);
     return <<ENDJS;
                 <script type="text/javascript">
                 // <![CDATA[
@@ -1642,12 +1644,12 @@
                       if (document.getElementById('deleteuploaded_'+caller)) {
                           document.getElementById('deleteuploaded_'+caller).value=1;
                           if (caller == 'minimal') {
-                              if (confirm("$lt{'min'}"+"\\n"+"$lt{'noundo'}")) {
+                              if (confirm("$js_lt{'min'}"+"\\n"+"$js_lt{'noundo'}")) {
                                   document.syllabus.submit();
                               }
                           }
                           if (caller == 'file') {
-                              if (confirm("$lt{'file'}"+"\\n"+"$lt{'noundo'}")) {
+                              if (confirm("$js_lt{'file'}"+"\\n"+"$js_lt{'noundo'}")) {
                                   document.syllabus.submit();
                               }
                           }
Index: loncom/interface/lonuserutils.pm
diff -u loncom/interface/lonuserutils.pm:1.169 loncom/interface/lonuserutils.pm:1.170
--- loncom/interface/lonuserutils.pm:1.169	Mon Dec 15 01:11:49 2014
+++ loncom/interface/lonuserutils.pm	Tue Jun  9 21:22:57 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Utility functions for managing LON-CAPA user accounts
 #
-# $Id: lonuserutils.pm,v 1.169 2014/12/15 01:11:49 raeburn Exp $
+# $Id: lonuserutils.pm,v 1.170 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -450,6 +450,7 @@
     if (($mode eq 'upload') && ($context eq 'domain')) {
         $alert{'inststatus'} = &mt('The optional affiliation field was not specified'); 
     }
+    &js_escape(\%alert);
     my $function_name = <<"END";
 $setsections_js
 
@@ -642,8 +643,9 @@
             $numbuttons ++;
         }
         if (!$can_assign->{'int'}) {
-            my $warning = &mt('You may not specify an initial password for each user, as this is only available when new users use LON-CAPA internal authentication.').'\n'.
+            my $warning = &mt('You may not specify an initial password for each user, as this is only available when new users use LON-CAPA internal authentication.')."\n".
                           &mt('Your current role does not have rights to create users with that authentication type.');
+            &js_escape(\$warning);
             $auth_update = <<"END";
    // Currently the initial password field is only supported for internal auth
    // (see bug 6368).
@@ -781,6 +783,7 @@
         if (!$can_assign->{'int'}) {
             my $warning = &mt('You may not specify an initial password, as this is only available when new users use LON-CAPA internal authentication.\n').
                           &mt('Your current role does not have rights to create users with that authentication type.');
+            &js_escape(\$warning);
             $auth_update = <<"END";
    // Currently the initial password field is only supported for internal auth
    // (see bug 6368).
@@ -3173,6 +3176,10 @@
     my $noaction = &mt("You need to select an action to take for the user(s) you have selected"); 
     my $singconfirm = &mt(' for a single user?');
     my $multconfirm = &mt(' for multiple users?');
+    &js_escape(\$alert);
+    &js_escape(\$noaction);
+    &js_escape(\$singconfirm);
+    &js_escape(\$multconfirm);
     my $output = <<"ENDJS";
 function verify_action (field) {
     var numchecked = 0;
@@ -5215,18 +5222,25 @@
 
 sub section_check_js {
     my $groupslist= &get_groupslist();
+    my %js_lt = &Apache::lonlocal::texthash(
+        mayn   => 'may not be used as the name for a section, as it is a reserved word.',
+        plch   => 'Please choose a different section name.',
+        mnot   => 'may not be used as a section name, as it is the name of a course group.',
+        secn   => 'Section names and group names must be distinct. Please choose a different section name.',
+    );
+    &js_escape(\%js_lt);
     return <<"END";
 function validate(caller) {
     var groups = new Array($groupslist);
     var secname = caller.value;
     if ((secname == 'all') || (secname == 'none')) {
-        alert("'"+secname+"' may not be used as the name for a section, as it is a reserved word.\\nPlease choose a different section name.");
+        alert("'"+secname+"' $js_lt{'mayn'}\\n$js_lt{'plch'}");
         return 'error';
     }
     if (secname != '') {
         for (var k=0; k<groups.length; k++) {
             if (secname == groups[k]) {
-                alert("'"+secname+"' may not be used as the name for a section, as it is the name of a course group.\\nSection names and group names must be distinct. Please choose a different section name.");
+                alert("'"+secname+"' $js_lt{'mnot'}\\n$js_lt{'secn'}");
                 return 'error';
             }
         }
@@ -5385,7 +5399,8 @@
                     mnot => 'may not be used as a section name, as it is the name of a course group.',
                     secn => 'Section names and group names must be distinct. Please choose a different section name.',
                     nonw => 'Section names may only contain letters or numbers.',
-                 );                
+                 );
+    &js_escape(\%alerts);
     $setsection_js .= <<"ENDSECCODE";
 
 function setSections(formname,crstype) {
@@ -6022,6 +6037,7 @@
                     thwa => 'There was a problem with your course selection',
                     thwc => 'There was a problem with your community selection',
                  );
+    &js_escape(\%alerts);
     return %alerts;
 }
 
@@ -6032,6 +6048,7 @@
                     krb    => 'You need to specify the Kerberos domain.',
                     ipass  => 'You need to specify the initial password.',
         );
+    &js_escape(\%alerts);
     return %alerts;
 }
 
Index: loncom/interface/lonwishlist.pm
diff -u loncom/interface/lonwishlist.pm:1.24 loncom/interface/lonwishlist.pm:1.25
--- loncom/interface/lonwishlist.pm:1.24	Sat Dec 20 15:35:40 2014
+++ loncom/interface/lonwishlist.pm	Tue Jun  9 21:22:57 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Utility-routines for wishlist
 #
-# $Id: lonwishlist.pm,v 1.24 2014/12/20 15:35:40 raeburn Exp $
+# $Id: lonwishlist.pm,v 1.25 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -536,12 +536,16 @@
             ' Paths to LON-CAPA resources must be of the form /res/domain/user/...'.
             ' Paths to external websites must contain the network protocol, e.g. http://...');
     my $warningLinkNotAllowed2 = &mt('The following link is not allowed:').' ';
-    my $warningLink = &mt('You must insert a title and a path!');
-    my $warningFolder = &mt('You must insert a title!');
     my $warningDelete = &mt('Are you sure you want to delete the selected entries? Deleting a folder also deletes all entries within this folder!');
     my $warningSave = &mt('You have unsaved changes. You can either save these changes now by clicking "OK" or click "Cancel" if you do not want to save your changes.');
     my $warningMoveS = &mt('You must select at minimum one entry to move!');
     my $warningMoveD = &mt('You must select a destination folder!');
+    &js_escape(\$warningLinkNotAllowed1);
+    &js_escape(\$warningLinkNotAllowed2);
+    &js_escape(\$warningDelete);
+    &js_escape(\$warningSave);
+    &js_escape(\$warningMoveS);
+    &js_escape(\$warningMoveD);
     $foldersOption = '';
 
     my $js = &Apache::lonhtmlcommon::scripttag(<<JAVASCRIPT);
@@ -1661,6 +1665,8 @@
             ' or to external websites.'.
             ' Paths to LON-CAPA resources must be of the form /res/domain/user/...'.
             ' Paths to external websites must contain the network protocol, e.g. http://...');
+    &js_escape(\$warningLink);
+    &js_escape(\$warningLinkNotAllowed1);
 
     my $inPageWishlistlink1 = '<h1>'.&mt('Save to Stored Links').'</h1>';
     # If no title is delivered, 'New Link' is called up from the wishlist-interface, so after
@@ -1764,7 +1770,7 @@
                                        'bgcolor'   => '#FFFFFF',});
 
     my $warningFolder = &mt('You must insert a title!');
-
+    &js_escape(\$warningFolder);
 
     my $inPageNewFolder = '<h1>'.&mt('New Folder').'</h1>'.
                           '<form method="post" name="newfolder" action="/adm/wishlist" target="wishlist" '.
Index: loncom/interface/selfenroll.pm
diff -u loncom/interface/selfenroll.pm:1.31 loncom/interface/selfenroll.pm:1.32
--- loncom/interface/selfenroll.pm:1.31	Sun Apr  6 14:11:01 2014
+++ loncom/interface/selfenroll.pm	Tue Jun  9 21:22:57 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Allow users to self-enroll in a course
 #
-# $Id: selfenroll.pm,v 1.31 2014/04/06 14:11:01 raeburn Exp $
+# $Id: selfenroll.pm,v 1.32 2015/06/09 21:22:57 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -221,7 +221,8 @@
     if ($sso_url eq '') {
         $sso_url = $login_path;
     }
-    $missing_formitem = &mt('The link to the requested page could not be followed.')."\\n".&mt('The placeholder for the courseID is absent.');
+    $missing_formitem = &mt('The link to the requested page could not be followed.')."\n".&mt('The placeholder for the courseID is absent.');
+    &js_escape(\$missing_formitem);
     if ($knownuser) {
         if (keys(%curr_role)) {
             $r->print('<h3>'.&mt('Self-enrollment unavailable').'</h3>'.
Index: loncom/interface/statistics/lonstathelpers.pm
diff -u loncom/interface/statistics/lonstathelpers.pm:1.73 loncom/interface/statistics/lonstathelpers.pm:1.74
--- loncom/interface/statistics/lonstathelpers.pm:1.73	Fri Feb 28 19:20:17 2014
+++ loncom/interface/statistics/lonstathelpers.pm	Tue Jun  9 21:23:02 2015
@@ -1,6 +1,6 @@
 # The LearningOnline Network with CAPA
 #
-# $Id: lonstathelpers.pm,v 1.73 2014/02/28 19:20:17 bisitz Exp $
+# $Id: lonstathelpers.pm,v 1.74 2015/06/09 21:23:02 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -286,7 +286,8 @@
 END
     if (ref($anoncounter) eq 'HASH') {
         if (keys(%{$anoncounter}) > 0) {
-            my $anonwarning = &mt('Your selection includes both problems with and without anonymous submissions.').'\n'.&mt('You must select either only anonymous or only named problems.').'\n\n'.&mt('If a selection contains both anonymous and named parts,[_1]use the Anonymous/Named buttons to ensure selections will be either all anonymous[_1]or all named.','\n');
+            my $anonwarning = &mt('Your selection includes both problems with and without anonymous submissions.')."\n".&mt('You must select either only anonymous or only named problems.')."\n\n".&mt('If a selection contains both anonymous and named parts,[_1]use the Anonymous/Named buttons to ensure selections will be either all anonymous[_1]or all named.',"\n");
+            &js_escape(\$anonwarning);
             $checkanonjs = <<"END";
 
 <script type="text/javascript" language="JavaScript">
Index: loncom/localize/lonlocal.pm
diff -u loncom/localize/lonlocal.pm:1.65 loncom/localize/lonlocal.pm:1.66
--- loncom/localize/lonlocal.pm:1.65	Thu Dec 11 01:47:25 2014
+++ loncom/localize/lonlocal.pm	Tue Jun  9 21:23:15 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Localization routines
 #
-# $Id: lonlocal.pm,v 1.65 2014/12/11 01:47:25 raeburn Exp $
+# $Id: lonlocal.pm,v 1.66 2015/06/09 21:23:15 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -171,7 +171,7 @@
 require Exporter;
 
 our @ISA = qw (Exporter);
-our @EXPORT = qw(mt mtn ns mt_user);
+our @EXPORT = qw(mt mtn ns mt_user js_escape html_escape);
 
 my %mtcache=();
 
@@ -575,6 +575,79 @@
     $$str_ref =~s/([\[\]])/~$1/g;
 }
 
+=pod 
+
+=item * js_escape
+
+js_escape takes a string, string reference or hash reference,
+and escapes the values so that they can be used within a <script> element.
+It replaces all instances of \ by \\, ' by \', " by \" and \n by \\n.
+It is typically used with localized strings, which might contain quotes.
+
+=cut
+
+sub js_escape {
+    my ($v) = @_;
+    my $ref = ref($v);
+    if ($ref eq 'SCALAR') {
+        $$v =~ s/\\/\\\\/g;
+        $$v =~ s/'/\\'/g;
+        $$v =~ s/"/\\"/g;
+        $$v =~ s/\n/\\n/g;
+    } elsif ($ref eq 'HASH') {
+        foreach my $key (keys %$v) {
+            $v->{$key} =~ s/\\/\\\\/g;
+            $v->{$key} =~ s/'/\\'/g;
+            $v->{$key} =~ s/"/\\"/g;
+            $v->{$key} =~ s/\n/\\n/g;
+        }
+    } else {
+        $v =~ s/\\/\\\\/g;
+        $v =~ s/'/\\'/g;
+        $v =~ s/"/\\"/g;
+        $v =~ s/\n/\\n/g;
+        return $v;
+    }
+}
+
+=pod 
+
+=item * html_escape
+
+js_escape takes a string, string reference or hash reference,
+and escapes the values so that they can be used as HTML.
+It encodes <, >, &, ' and ".
+
+=cut
+
+sub html_escape {
+    my ($v) = @_;
+    my $ref = ref($v);
+    if ($ref eq 'SCALAR') {
+        $$v =~ s/&/&/g;
+        $$v =~ s/</</g;
+        $$v =~ s/>/>/g;
+        $$v =~ s/'/'/g;
+        $$v =~ s/"/"/g;
+    } elsif ($ref eq 'HASH') {
+        foreach my $key (keys %$v) {
+            $v->{$key} =~ s/&/&/g;
+            $v->{$key} =~ s/</</g;
+            $v->{$key} =~ s/>/>/g;
+            $v->{$key} =~ s/'/'/g;
+            $v->{$key} =~ s/"/"/g;
+        }
+    } else {
+        $v =~ s/&/&/g;
+        $v =~ s/</</g;
+        $v =~ s/>/>/g;
+        $v =~ s/'/'/g;
+        $v =~ s/"/"/g;
+        return $v;
+    }
+    # NOTE: we could also turn \n into <br> if needed
+}
+
 =pod
 
 =item * choose_language
Index: loncom/publisher/lonpubmenu.pm
diff -u loncom/publisher/lonpubmenu.pm:1.6 loncom/publisher/lonpubmenu.pm:1.7
--- loncom/publisher/lonpubmenu.pm:1.6	Thu Feb 26 16:10:49 2009
+++ loncom/publisher/lonpubmenu.pm	Tue Jun  9 21:23:27 2015
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Construction Space Buttons for Top Frame 
 #
-# $Id: lonpubmenu.pm,v 1.6 2009/02/26 16:10:49 schafran Exp $
+# $Id: lonpubmenu.pm,v 1.7 2015/06/09 21:23:27 damieng Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -34,10 +34,13 @@
 
 sub handler {
     my $r = shift;
-    my %lt=&Apache::lonlocal::texthash(
+    my %js_lt=&Apache::lonlocal::texthash(
                                        cnpd => 'Cannot publish directory',
                                        cnrd => 'Cannot retrieve directory',
                                        mcdi => 'Must create new subdirectory inside a directory',
+                                      );
+    &js_escape(\%js_lt);
+    my %html_lt=&Apache::lonlocal::texthash(
                                        pubr => 'Publish this Resource',
                                        pubd => 'Publish this Directory',
                                        rtrv => 'Retrieve Old Version',
@@ -63,6 +66,7 @@
                                        go => 'Go',
                                        prnt => 'Print'
                                       );
+    &html_escape(\%html_lt);
     &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['disp']);
     my $disp = $env{'form.disp'};
 # set defaults for parent directory in case frameloc is unable to determine directory
@@ -121,7 +125,7 @@
       if ((document.fileaction.filename.value.charAt(
            document.fileaction.filename.value.length-1)!='/') &&
            (document.fileaction.filename.value.indexOf('/adm/pubdir')==-1)) {
-          alert('$lt{'mcdi'}');
+          alert('$js_lt{'mcdi'}');
           return;
       }
    }
@@ -208,7 +212,7 @@
       (document.publisher.filename.value.indexOf('/adm/pubdir')==-1)) {
         document.publisher.submit();
     } else {
-        alert('$lt{'cnpd'}');
+        alert('$js_lt{'cnpd'}');
     }
 }
 
@@ -219,7 +223,7 @@
        (document.rpublisher.filename.value.indexOf('/adm/pubdir')==-1)) {
         document.rpublisher.submit();
    } else {
-      alert('$lt{'cnrd'}');
+      alert('$js_lt{'cnrd'}');
    }
 }
 
@@ -245,14 +249,14 @@
                     <form name="publishdir" action="/adm/publish" target="_parent" method="post">
                       <input type="hidden" name="filename" value="" />
                       <input type="hidden" name="forcerepub" value="NO" />
-                      <input type="button" value="'.$lt{'pubd'}.'" onclick="getdirname();" />
+                      <input type="button" value="'.$html_lt{'pubd'}.'" onclick="getdirname();" />
                     </form>
                  ');
     } else {
         $r->print('
                     <form name="publisher" action="/adm/publish" target="_parent" method="post">
                       <input type="hidden" name="filename" value="" />
-	              <input type="button" value="'.$lt{'pubr'}.'" onclick="getfilename();" />
+	              <input type="button" value="'.$html_lt{'pubr'}.'" onclick="getfilename();" />
                     </form>
                    ');
     }
@@ -262,7 +266,7 @@
 		  <td bgcolor="#ccddaa" align="center">
 		    <form name="dpublisher" action="/adm/pubdir" target="LONCAPAToBePublished" method="post">
 		      <input type="hidden" name="filename" value="" />
-		      <input type="button" value="$lt{'list'}" onclick="getdfilename();" />
+		      <input type="button" value="$html_lt{'list'}" onclick="getdfilename();" />
 		    </form>
 		  </td>
 		  <td bgcolor="#ccddaa" valign="top" align="center">
@@ -270,7 +274,7 @@
 			method="post" enctype="multipart/form-data">
 		      <input type="hidden" name="filename" value="" />
 		      <input type="file" name="upfile" size="20" />
-		      <input type="button" value="$lt{'uplo'}"  onclick="getufilename();" />
+		      <input type="button" value="$html_lt{'uplo'}"  onclick="getufilename();" />
 		    </form>
 		  </td>
 		  <td rowspan="2" bgcolor="#ccddaa" align="center">
@@ -278,7 +282,7 @@
 		      <input type="hidden" name="postdata" value="" />
 		      <input type="hidden" name="curseed" value="" />
 		      <input type="hidden" name="problemtype" value="" />
-		      <input type="button" value="$lt{'prnt'}" onclick="getpostdata();" />
+		      <input type="button" value="$html_lt{'prnt'}" onclick="getpostdata();" />
 		    </form>
 		  </td>
 		</tr>
@@ -291,13 +295,13 @@
                       <input type="hidden" name="filename" value="" />
                       <input type="hidden" name="forcerepub" value="NO" />
                       <input type="hidden" name="pubrec" value="1" />
-                      <input type="button" value="$lt{'pubs'}" onclick="getsubdirname();" />
+                      <input type="button" value="$html_lt{'pubs'}" onclick="getsubdirname();" />
                     </form>
                   </td>
                   <td bgcolor="#ccddaa">
                     <form name="editcat" action="/adm/cfile" target="_parent" method="post">
                       <input type="hidden" name="filename" value="" />
-                      <input type="button" value="$lt{'edit'}" onclick="geteditcat();" />
+                      <input type="button" value="$html_lt{'edit'}" onclick="geteditcat();" />
                     </form>
                   </td>
 ENDDIR
@@ -306,14 +310,14 @@
 		  <td bgcolor="#ccddaa" align="center">
 		    <form name="rpublisher" action="/adm/retrieve" target="_parent" method="post">
 		      <input type="hidden" name="filename" value="" />
-		      <input type="button" value="$lt{'rtrv'}" onclick="getrfilename();" />
+		      <input type="button" value="$html_lt{'rtrv'}" onclick="getrfilename();" />
 		    </form>
 		  </td>
 		  <td bgcolor="#ccddaa">
 		    <form name="del" action="/adm/cfile" target="_parent" method="post">
 		      <input type="hidden" name="filename" value="" />
 		      <input type="hidden" name="action" value="delete" />
-	              <input type="button" value="$lt{'dele'}" onclick="getdelfilename();" />
+	              <input type="button" value="$html_lt{'dele'}" onclick="getdelfilename();" />
 		    </form>
 		  </td>
 ENDFILE
@@ -324,26 +328,26 @@
 		      <nobr>
 			<input type="hidden" name="filename" value="" />
 			  <select name="action">
-			    <option value="Select Action">$lt{'sela'}</option>
-			    <option value="newfile">$lt{'nfil'}:</option>
-			    <option value="newhtmlfile">$lt{'nhtm'}:</option>
-			    <option value="newproblemfile">$lt{'nprb'}:</option>
-                            <option value="newpagefile">$lt{'npag'}:</option>
-                            <option value="newsequencefile">$lt{'nseq'}:</option>
-                            <option value="newrightsfile">$lt{'ncrf'}:</option>
-                            <option value="newstyfile">$lt{'nsty'}:</option>
-                            <option value="newlibraryfile">$lt{'nlib'}:</option>
-			    <option value="newdir">$lt{'nsub'}:</option>
+			    <option value="Select Action">$html_lt{'sela'}</option>
+			    <option value="newfile">$html_lt{'nfil'}:</option>
+			    <option value="newhtmlfile">$html_lt{'nhtm'}:</option>
+			    <option value="newproblemfile">$html_lt{'nprb'}:</option>
+                            <option value="newpagefile">$html_lt{'npag'}:</option>
+                            <option value="newsequencefile">$html_lt{'nseq'}:</option>
+                            <option value="newrightsfile">$html_lt{'ncrf'}:</option>
+                            <option value="newstyfile">$html_lt{'nsty'}:</option>
+                            <option value="newlibraryfile">$html_lt{'nlib'}:</option>
+			    <option value="newdir">$html_lt{'nsub'}:</option>
 ENDOPTIONS
     if ($disp ne 'dir') {
         $r->print(<<"ENDPROBOPS");
-			    <option value="rename">$lt{'renm'}:</option>
-			    <option value="move">$lt{'move'}:</option>
-			    <option value="copy">$lt{'copy'}:</option>
+			    <option value="rename">$html_lt{'renm'}:</option>
+			    <option value="move">$html_lt{'move'}:</option>
+			    <option value="copy">$html_lt{'copy'}:</option>
 ENDPROBOPS
     }
     $r->print(<<"ENDPAGE");
-			  </select> <input type="text" name="newfilename" value="$lt{'type'}" onfocus="if (this.value == '$lt{'type'}') this.value=''" /> <input type="button" value="$lt{'go'}" onclick="getactionfilename();" />
+			  </select> <input type="text" name="newfilename" value="$html_lt{'type'}" onfocus="if (this.value == '$html_lt{'type'}') this.value=''" /> <input type="button" value="$html_lt{'go'}" onclick="getactionfilename();" />
 		      </nobr>
 		    </form>
 		   </td>


More information about the LON-CAPA-cvs mailing list