diff --git a/resources/static/dialog/views/authenticate.ejs b/resources/static/dialog/views/authenticate.ejs
index 285c4f58a1112e0d360486a909ba613c164e0a09..99e82cad3340c241bc73a0d9ef817854278c38b3 100644
--- a/resources/static/dialog/views/authenticate.ejs
+++ b/resources/static/dialog/views/authenticate.ejs
@@ -4,7 +4,7 @@
<div class="form_section">
<p class="start">
- <%= format(gettext('%s uses Persona instead of usernames to sign you in.'), ["<strong>" + siteName +"</strong>"]) %>
+ <%- format(gettext('%s uses Persona instead of usernames to sign you in.'), ["<strong>" + escape(siteName) +"</strong>"]) %>
</p>
@@ -58,7 +58,7 @@
<p class="submit tospp">
- <%= format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
+ <%- format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
{ site: "Persona",
terms: 'href="https://login.persona.org/tos" target="_new"',
privacy: 'href="https://login.persona.org/privacy" target="_new"' }) %>
diff --git a/resources/static/dialog/views/confirm_email.ejs b/resources/static/dialog/views/confirm_email.ejs
index a796667bc6c500bd03bee8a8ede2f2926e40412c..853019e6283add12b9204376ef426917c3fc90d0 100644
--- a/resources/static/dialog/views/confirm_email.ejs
+++ b/resources/static/dialog/views/confirm_email.ejs
@@ -5,10 +5,10 @@
<h2><%= gettext('Confirm your email address') %></h2>
<p>
- <%= format(gettext('Check your email at %s.'), ["<strong>" + email + "</strong>"]) %>
+ <%- format(gettext('Check your email at %s.'), ["<strong>" + escape(email) + "</strong>"]) %>
</p>
<p>
- <%= format(gettext('Click the link in the confirmation email. You\'ll then immediately be signed in to %s.'), ["<strong>" + siteName + "</strong>"]) %>
+ <%- format(gettext('Click the link in the confirmation email. You\'ll then immediately be signed in to %s.'), ["<strong>" + escape(siteName) + "</strong>"]) %>
</p>
diff --git a/resources/static/dialog/views/error.ejs b/resources/static/dialog/views/error.ejs
index 14f7c8f39c28e2b44bf2f1387247e7695ff3eec3..c32abe1793583a8453a84ce6de4501acf6bb1c68 100644
--- a/resources/static/dialog/views/error.ejs
+++ b/resources/static/dialog/views/error.ejs
@@ -13,7 +13,7 @@
<h2 id="error_403">
<%= gettext("Persona requires cookies to remember you.") %>
</h2>
- <%= format(gettext("Please close this window, <a %s>enable cookies</a> and try again"), [" target='_blank' href='http://support.mozilla.org/kb/Websites%20say%20cookies%20are%20blocked'"]) %>
+ <%- format(gettext("Please close this window, <a %s>enable cookies</a> and try again"), [" target='_blank' href='http://support.mozilla.org/kb/Websites%20say%20cookies%20are%20blocked'"]) %>
<% } else if(typeof title === "string") { %>
<h2>
<span class="emphasis"><%= title %></span>
diff --git a/resources/static/dialog/views/required_email.ejs b/resources/static/dialog/views/required_email.ejs
index 500327fbfee2c46573f4bf473542d07848b2d8b5..2934b42982d63e4199d31bd06a1b9526da1e8c44 100644
--- a/resources/static/dialog/views/required_email.ejs
+++ b/resources/static/dialog/views/required_email.ejs
@@ -63,7 +63,7 @@
</p>
<% if (personaTOSPP) { %>
<p class="tospp">
- <%= format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
+ <%- format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
{ site: "Persona",
terms: 'href="https://login.persona.org/tos" target="_new"',
privacy: 'href="https://login.persona.org/privacy" target="_new"' }) %>
diff --git a/resources/static/dialog/views/rp_info.ejs b/resources/static/dialog/views/rp_info.ejs
index 4ae1e5a072a978a33d7676d706c272d0d75c83d0..43a4b3140cc82e70349b8321af6418cbea4e1847 100644
--- a/resources/static/dialog/views/rp_info.ejs
+++ b/resources/static/dialog/views/rp_info.ejs
@@ -19,7 +19,7 @@
<% if(privacyPolicy && termsOfService) { %>
<p id="rptospp" class="tospp">
- <%= format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
+ <%- format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
{
terms: 'href="' + termsOfService + '" id="rp_tos" target="_blank"',
privacy: 'href="' + privacyPolicy + '" id="rp_pp" target="_blank"',
diff --git a/resources/static/dialog/views/set_password.ejs b/resources/static/dialog/views/set_password.ejs
index 74a75f3d11d4da5eacea04ecc4e7506a94e415ea..ed213f78304faa1a4913dda802d58e8fe0a2c85a 100644
--- a/resources/static/dialog/views/set_password.ejs
+++ b/resources/static/dialog/views/set_password.ejs
@@ -71,7 +71,7 @@
<% if (personaTOSPP) { %>
<p id="persona_tospp" class="submit tospp">
- <%= format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
+ <%- format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
{ site: "Persona",
terms: 'href="https://login.persona.org/tos" target="_new"',
privacy: 'href="https://login.persona.org/privacy" target="_new"' }) %>
diff --git a/resources/static/dialog/views/verify_primary_user.ejs b/resources/static/dialog/views/verify_primary_user.ejs
index 695924ac81a007098eea328f7f365730cf6de3d4..76f26652ef056d4d04386c8ecbf058314f3de672 100644
--- a/resources/static/dialog/views/verify_primary_user.ejs
+++ b/resources/static/dialog/views/verify_primary_user.ejs
@@ -22,7 +22,7 @@
<% if (personaTOSPP) { %>
<p id="persona_tospp" class="submit tospp">
- <%= format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
+ <%- format(gettext("By proceeding, you agree to %(site)'s <a %(terms)>Terms</a> and <a %(privacy)>Privacy Policy</a>."),
{ site: "Persona",
terms: 'href="https://login.persona.org/tos" target="_new"',
privacy: 'href="https://login.persona.org/privacy" target="_new"' }) %>