From bb0f5b552c3a52abfac1e2147144eef8f2e7dfab Mon Sep 17 00:00:00 2001
From: Jordan Milne <jordan.milne@saynotolinux.com>
Date: Thu, 15 Jan 2015 14:39:12 -0800
Subject: [PATCH] Replace ad-hoc HTML templating with `format_html()` and
 `_wsf()`

Conflicts:
	r2/r2/templates/prefoptions.html
---
 r2/r2/controllers/api.py                 | 14 +++++-----
 r2/r2/controllers/promotecontroller.py   |  3 ++-
 r2/r2/models/link.py                     | 21 +++++++--------
 r2/r2/templates/base.htmllite            | 12 ++++-----
 r2/r2/templates/comment.compact          |  4 +--
 r2/r2/templates/exploreitemlisting.html  |  6 ++---
 r2/r2/templates/frametoolbar.html        | 10 +++----
 r2/r2/templates/listing.html             |  6 ++---
 r2/r2/templates/message.compact          | 11 ++++----
 r2/r2/templates/message.html             | 16 +++++------
 r2/r2/templates/message.xml              |  6 ++---
 r2/r2/templates/multiinfobar.html        |  5 ++--
 r2/r2/templates/newlink.html             | 10 +++----
 r2/r2/templates/oauth2authorization.html | 16 +++++------
 r2/r2/templates/prefoptions.html         | 34 +++++++++++-------------
 r2/r2/templates/promotedlinktraffic.html |  6 ++---
 r2/r2/templates/spotlightlisting.html    |  4 +--
 r2/r2/templates/subreddittopbar.html     |  4 +--
 r2/r2/templates/tablelisting.html        |  6 ++---
 r2/r2/templates/userlisting.html         |  6 ++---
 r2/r2/templates/utils.html               |  4 +--
 r2/r2/templates/widgetdemopanel.html     | 10 +++----
 22 files changed, 107 insertions(+), 107 deletions(-)

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index 23b158fd6..58f1aa9c2 100644
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -82,6 +82,7 @@ from r2.lib.menus import CommentSortMenu
 from r2.lib.captcha import get_iden
 from r2.lib.strings import strings
 from r2.lib.filters import _force_unicode, websafe_json, websafe, spaceCompress
+from r2.lib.template_helpers import format_html
 from r2.lib.db import queries
 from r2.lib.db.queries import changed
 from r2.lib import media
@@ -1858,9 +1859,9 @@ class ApiController(RedditController):
         else:
             emails, users = emails
             jquery.things(link._fullname).set_text(".share", _("shared"))
-            shareform.html("<div class='clearleft'></div>"
-                           "<p class='error'>%s</p>" % 
-                           websafe(_("your link has been shared.")))
+            shareform.html(format_html("<div class='clearleft'></div>"
+                                       "<p class='error'>%s</p>",
+                                       _("your link has been shared.")))
 
             if getattr(link, "promoted", None) and link.disable_comments:
                 message = message + "\n\n" if message else ""
@@ -3679,9 +3680,10 @@ class ApiController(RedditController):
 
             # TODO: move this to a template
             if flair_template:
-                flair = '<span class="linkflairlabel %s">%s</span>' % (
-                    ' '.join('linkflair-' + c for c in css_class.split()),
-                    websafe(text))
+                classes = ' '.join('linkflair-' + c for c in css_class.split())
+                flair = format_html('<span class="linkflairlabel %s">%s</span>',
+                                    classes, text)
+
                 if site.link_flair_position == 'left':
                     jquery(title_path).before(flair)
                 elif site.link_flair_position == 'right':
diff --git a/r2/r2/controllers/promotecontroller.py b/r2/r2/controllers/promotecontroller.py
index 76c31ab11..87c241e2f 100644
--- a/r2/r2/controllers/promotecontroller.py
+++ b/r2/r2/controllers/promotecontroller.py
@@ -39,6 +39,7 @@ from r2.lib.base import abort
 from r2.lib.db import queries
 from r2.lib.errors import errors
 from r2.lib.filters import websafe
+from r2.lib.template_helpers import format_html
 from r2.lib.media import force_thumbnail, thumbnail_url, _scrape_media
 from r2.lib.memoize import memoize
 from r2.lib.menus import NamedButton, NavButton, NavMenu, QueryButton
@@ -554,7 +555,7 @@ class PromoteApiController(ApiController):
         if promote.is_promo(link):
             text = PromotionLog.add(link, note)
             form.find(".notes").children(":last").after(
-                "<p>" + websafe(text) + "</p>")
+                format_html("<p>%s</p>", text))
 
     @validatedForm(
         VSponsorAdmin(),
diff --git a/r2/r2/models/link.py b/r2/r2/models/link.py
index af9c460ba..849fd6265 100644
--- a/r2/r2/models/link.py
+++ b/r2/r2/models/link.py
@@ -368,7 +368,7 @@ class Link(Thing, Printable):
         from r2.lib.count import incr_counts
         from r2.lib import media
         from r2.lib.utils import timeago
-        from r2.lib.template_helpers import get_domain, _ws, unsafe
+        from r2.lib.template_helpers import get_domain, unsafe, format_html
         from r2.models.report import Report
         from r2.models.subreddit import FakeSubreddit
         from r2.lib.wrapped import CachedVariable
@@ -655,16 +655,16 @@ class Link(Thing, Printable):
 
             taglinetext = ''
             if item.different_sr:
-                author_text = (" <span>" + _ws("by %(author)s to %(reddit)s") +
-                               "</span>")
+                author_text = format_html(" <span>%s</span>",
+                                          _("by %(author)s to %(reddit)s"))
             else:
-                author_text = " <span>" + _ws("by %(author)s") + "</span>"
+                author_text = format_html(" <span>%s</span>",
+                                          _("by %(author)s"))
             if item.editted:
                 if item.score_fmt in (Score.points, Score.safepoints):
-                    taglinetext = ("<span>" +
-                                   _ws("%(score)s submitted %(when)s "
-                                       "%(lastedited)s") +
-                                   "</span>")
+                    taglinetext = format_html("<span>%s</span>",
+                                              _("%(score)s submitted %(when)s "
+                                                "%(lastedited)s"))
                     taglinetext = unsafe(taglinetext + author_text)
                 elif item.different_sr:
                     taglinetext = _("submitted %(when)s %(lastedited)s "
@@ -674,9 +674,8 @@ class Link(Thing, Printable):
                                     "by %(author)s")
             else:
                 if item.score_fmt in (Score.points, Score.safepoints):
-                    taglinetext = ("<span>" +
-                                   _ws("%(score)s submitted %(when)s") +
-                                   "</span>")
+                    taglinetext = format_html("<span>%s</span>",
+                                              _("%(score)s submitted %(when)s"))
                     taglinetext = unsafe(taglinetext + author_text)
                 elif item.different_sr:
                     taglinetext = _("submitted %(when)s by %(author)s "
diff --git a/r2/r2/templates/base.htmllite b/r2/r2/templates/base.htmllite
index 43a3982a1..4c391c165 100644
--- a/r2/r2/templates/base.htmllite
+++ b/r2/r2/templates/base.htmllite
@@ -24,7 +24,7 @@
 
 <%!
    from pylons.i18n import _
-   from r2.lib.template_helpers import get_domain, style_line, _ws
+   from r2.lib.template_helpers import get_domain, style_line, format_html, _ws
    from r2.models.subreddit import FakeSubreddit, DefaultSR
 %>
 
@@ -49,16 +49,16 @@
            ${optionalstyle("border:none")} />
     </a>
     <%
-       style = capture(optionalstyle, "text-decoration:none;color:#336699")
+       style = unsafe(capture(optionalstyle, "text-decoration:none;color:#336699"))
        name = c.site.name
        if not isinstance(c.site, FakeSubreddit):
            name += ".%s" % g.domain
        if c.link_target:
-          link = ('<a %s href="http://%s/" target="%s">%s</a></h3>' % 
-                  (style, get_domain(), c.link_target, name))
+          link = format_html('<a %s href="http://%s/" target="%s">%s</a></h3>',
+                             style, get_domain(), c.link_target, name)
        else:
-          link = ('<a %s href="http://%s/">%s</a></h3>' % 
-                 (style, get_domain(), name))
+          link = format_html('<a %s href="http://%s/">%s</a></h3>',
+                             style, get_domain(), name)
      %>
     ${self.titlebar(link)}
   </h4>
diff --git a/r2/r2/templates/comment.compact b/r2/r2/templates/comment.compact
index 8eda0c90e..c130a32e3 100644
--- a/r2/r2/templates/comment.compact
+++ b/r2/r2/templates/comment.compact
@@ -22,7 +22,7 @@
 
 <%!
     from r2.lib.pages import WrappedUser
-    from r2.lib.template_helpers import add_sr, _ws
+    from r2.lib.template_helpers import add_sr, _wsf
 %>
 <%namespace file="printable.compact" import="delete_report_buttons"/>
 <%namespace file="printable.html" import="arrow, score, thing_css_rowclass"/>
@@ -67,7 +67,7 @@
      %endif
      &#32;
      ## thing.timesince is a cache stub
-     ${unsafe(_ws("%(timeago)s") % dict(timeago=thing.timesince))}
+     ${_wsf("%(timeago)s", timeago=thing.timesince)}
      % if thing.gilded_message:
        <span class="gilded-icon" title="${thing.gilded_message}" data-count="${thing.gildings}">
          % if thing.gildings > 1:
diff --git a/r2/r2/templates/exploreitemlisting.html b/r2/r2/templates/exploreitemlisting.html
index ff66630b5..980eb1b51 100644
--- a/r2/r2/templates/exploreitemlisting.html
+++ b/r2/r2/templates/exploreitemlisting.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%!
-   from r2.lib.template_helpers import _ws
+   from r2.lib.template_helpers import format_html
 %>
 <%namespace file="utils.html" import="plain_link" />
 <%
@@ -63,7 +63,7 @@
       %endfor
       <div class="nav-buttons">
         <span class="nextprev">${_("view more:")}&#32;
-          ${plain_link(unsafe(_ws("reload suggestions") + " &rsaquo;"), request.url, _sr_path=False, nocname=True)}
+          ${plain_link(format_html("%s &rsaquo;", _("reload suggestions")), request.url, _sr_path=False, nocname=True)}
         </span>
       </div>
   %else:
@@ -74,7 +74,7 @@
     </div>
     <div class="nav-buttons">
       <span class="nextprev">
-        ${plain_link(unsafe(_ws("try again") + " &rsaquo;"), "/explore", _sr_path=False, nocname=True)}
+        ${plain_link(format_html("%s &rsaquo;", _("try again")), "/explore", _sr_path=False, nocname=True)}
       </span>
     </div>
   %endif
diff --git a/r2/r2/templates/frametoolbar.html b/r2/r2/templates/frametoolbar.html
index 59c124b3b..90efef708 100644
--- a/r2/r2/templates/frametoolbar.html
+++ b/r2/r2/templates/frametoolbar.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%! 
-   from r2.lib.template_helpers import static, get_domain, add_sr, _ws
+   from r2.lib.template_helpers import static, get_domain, add_sr, format_html
    from r2.lib.strings import Score
 %>
 
@@ -188,21 +188,21 @@
     <span>
     %if thing.saved:
       ${state_button("unsave", _("unsave"),
-        "return change_state(this, 'unsave');", "<b>%s</b>" % _ws("unsaved"),
+        "return change_state(this, 'unsave');", format_html("<b>%s</b>", _("unsaved")),
         a_class="clickable")}
     %else:
        ${state_button("save", _("save"),
-         "return change_state(this, 'save');", "<b>%s</b>" % _ws("saved"),
+         "return change_state(this, 'save');", format_html("<b>%s</b>", _("saved")),
          a_class="clickable")}
     %endif
     </span><span>
     %if thing.hidden:
       ${state_button("unhide", _("unhide"),
-        "return change_state(this, 'unhide');", "<b>%s</b>" % _ws("unhidden"),
+        "return change_state(this, 'unhide');", format_html("<b>%s</b>", _("unhidden")),
         a_class="clickable")}
     %else:
        ${state_button("hide", _("hide"),
-         "return change_state(this, 'hide');", "<b>%s</b>" % _ws("hide"),
+         "return change_state(this, 'hide');", format_html("<b>%s</b>", _("hide")),
          a_class="clickable")}
     %endif
     </span>
diff --git a/r2/r2/templates/listing.html b/r2/r2/templates/listing.html
index 87b37ad6b..d731241f4 100644
--- a/r2/r2/templates/listing.html
+++ b/r2/r2/templates/listing.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%!
-   from r2.lib.template_helpers import _ws
+   from r2.lib.template_helpers import format_html
    from r2.models import Sub
  %>
 <%namespace file="utils.html" import="plain_link" />
@@ -39,13 +39,13 @@
     <div class="nav-buttons">
       <span class="nextprev">${_("view more:")}&#32;
       %if thing.prev:
-        ${plain_link(unsafe("&lsaquo; " + _ws("prev")), thing.prev, _sr_path = (c.site != Sub), rel="nofollow prev")}
+        ${plain_link(format_html("&lsaquo; %s", _("prev")), thing.prev, _sr_path = (c.site != Sub), rel="nofollow prev")}
       %endif
       %if thing.prev and thing.next:
         <span class="separator"></span>
       %endif
       %if thing.next:
-        ${plain_link(unsafe(_ws("next") + " &rsaquo;"), thing.next,  _sr_path = (c.site != Sub), rel="nofollow next")}
+        ${plain_link(format_html("%s &rsaquo;", _("next")), thing.next,  _sr_path = (c.site != Sub), rel="nofollow next")}
       %endif
       </span>
       %if thing.next_suggestions:
diff --git a/r2/r2/templates/message.compact b/r2/r2/templates/message.compact
index ab95d9030..184925c68 100644
--- a/r2/r2/templates/message.compact
+++ b/r2/r2/templates/message.compact
@@ -24,6 +24,7 @@
     from r2.lib.pages import WrappedUser
     from r2.lib.filters import safemarkdown, websafe, conditional_websafe
     from r2.models import Account
+    from r2.lib.template_helpers import format_html
 %>
 <%namespace file="printable.html" import="arrow, score"/>
 <%namespace file="utils.html" import="plain_link" />
@@ -59,23 +60,23 @@
     substitutions = {}
 
     if thing.sr_id:
-        substitutions['subreddit'] = u'<b>&nbsp;<a href="%(path)s.compact">%(path)s</a>&nbsp;</b>' % dict(path=thing.subreddit.path)
+        substitutions['subreddit'] = format_html(u'<b>&nbsp;<a href="%(path)s.compact">%(path)s</a>&nbsp;</b>', path=thing.subreddit.path)
 
-    substitutions['author'] = u"<b>%s</b>" % WrappedUser(thing.author, thing.attribs, thing).render()
+    substitutions['author'] = format_html(u"<b>%s</b>", WrappedUser(thing.author, thing.attribs, thing))
 
     if isinstance(thing.to, Account):
-        substitutions['dest'] = u"<b>%s</b>" % WrappedUser(thing.to, [], thing).render()
+        substitutions['dest'] = format_html(u"<b>%s</b>", WrappedUser(thing.to, [], thing))
     elif thing.sr_id:
         substitutions['dest'] = substitutions['subreddit']
 
     substitutions['when'] = thing.timesince
 
     taglinetext = conditional_websafe(thing.taglinetext).replace(' ', '&nbsp;')
-    taglinetext %= substitutions
+    taglinetext = format_html(taglinetext, **substitutions)
   %>
 
     <div class="tagline">
-      ${unsafe(taglinetext)}
+      ${taglinetext}
     </div>
     <a href="javascript:void(0)" class="options_link"></a>
     ${unsafe(safemarkdown(thing.body))}
diff --git a/r2/r2/templates/message.html b/r2/r2/templates/message.html
index 7e9052e48..ea11f693f 100644
--- a/r2/r2/templates/message.html
+++ b/r2/r2/templates/message.html
@@ -24,7 +24,7 @@
    from r2.lib.filters import safemarkdown, websafe, conditional_websafe
    from r2.lib.pages.things import MessageButtons
    from r2.lib.pages import WrappedUser
-   from r2.lib.template_helpers import static, add_attr
+   from r2.lib.template_helpers import static, add_attr, format_html
    from r2.models import Account
 %>
 
@@ -53,9 +53,9 @@ ${parent.thing_css_class(what)} ${"new" if thing.new else ""} ${"was-comment" if
     substitutions = {}
 
     if thing.sr_id:
-        substitutions['subreddit'] = u'<span class="subreddit"><a href="%(path)s">%(path)s</a></span>' % dict(path=thing.subreddit.path)
+        substitutions['subreddit'] = format_html(u'<span class="subreddit"><a href="%(path)s">%(path)s</a></span>', path=thing.subreddit.path)
 
-    substitutions['author'] = u'<span class="sender">%s</span>' % WrappedUser(thing.author, thing.attribs, thing).render()
+    substitutions['author'] = format_html(u'<span class="sender">%s</span>', WrappedUser(thing.author, thing.attribs, thing))
 
     if isinstance(thing.to, Account):
         to_attribs = []
@@ -68,18 +68,18 @@ ${parent.thing_css_class(what)} ${"new" if thing.new else ""} ${"was-comment" if
                 label = _('moderator of /r/%(reddit)s, speaking officially')
                 label %= {'reddit': thing.subreddit.name}
                 add_attr(to_attribs, 'M', label=label, link=link)
-        substitutions['dest'] = u'<span class="recipient">%s</span>' % WrappedUser(thing.to, to_attribs, thing).render()
+        substitutions['dest'] = format_html(u'<span class="recipient">%s</span>', WrappedUser(thing.to, to_attribs, thing))
     elif thing.sr_id:
-        substitutions['dest'] = u'<span class="recipient subreddit"><a href="%(path)s">%(path)s</a></span>' % dict(path=thing.subreddit.path)
+        substitutions['dest'] = format_html(u'<span class="recipient subreddit"><a href="%(path)s">%(path)s</a></span>', path=thing.subreddit.path)
 
-    substitutions['when'] = capture(thing_timestamp, thing, thing.timesince, include_tense=True)
+    substitutions['when'] = unsafe(capture(thing_timestamp, thing, thing.timesince, include_tense=True))
 
     taglinetext = conditional_websafe(thing.taglinetext).replace(' ', '&#32;')
-    taglinetext %= substitutions
+    taglinetext = format_html(taglinetext, **substitutions)
   %>
 
   <span class="head">
-    ${unsafe(taglinetext)}
+    ${taglinetext}
   </span>
 
   %if c.user_is_admin:
diff --git a/r2/r2/templates/message.xml b/r2/r2/templates/message.xml
index 81db668af..651204407 100644
--- a/r2/r2/templates/message.xml
+++ b/r2/r2/templates/message.xml
@@ -22,7 +22,7 @@
 
 <%!
    from r2.lib.filters import safemarkdown, websafe, conditional_websafe
-   from r2.lib.template_helpers import add_sr
+   from r2.lib.template_helpers import add_sr, format_html
    from r2.models.account import DeletedUser, Account
 %>
 
@@ -49,9 +49,9 @@
     substitutions['when'] = thing.timesince
 
     taglinetext = conditional_websafe(thing.taglinetext)
-    taglinetext %= substitutions
+    taglinetext = format_html(taglinetext, **substitutions)
   %>
-  ${thing.subject} : ${unsafe(taglinetext)}
+  ${thing.subject} : ${taglinetext}
   </title>
   <pubDate>${thing._date.strftime('%a, %d %b %Y %H:%M:%S %z')}</pubDate>
   <dc:date>${thing._date.isoformat()}</dc:date>
diff --git a/r2/r2/templates/multiinfobar.html b/r2/r2/templates/multiinfobar.html
index ecddaf585..f0d948ad5 100644
--- a/r2/r2/templates/multiinfobar.html
+++ b/r2/r2/templates/multiinfobar.html
@@ -23,7 +23,7 @@
 <%!
    from r2.lib.strings import strings, Score
    from r2.lib.pages import WrappedUser, UserText
-   from r2.lib.template_helpers import _ws
+   from r2.lib.template_helpers import _ws, _wsf, format_html
  %>
 
 <%namespace file="utils.html" import="plain_link, thing_timestamp, text_with_links"/>
@@ -84,7 +84,8 @@
     %endif
   </div>
 
-  <h3>${unsafe(_ws('%(count)s subreddits in this multi:') % dict(count='<span class="count">%d</span>&#32;' % len(thing.srs)))}</h3>
+  <% sr_count = format_html('<span class="count">%s</span>&#32;', len(thing.srs)) %>
+  <h3>${_wsf('%(count)s subreddits in this multi:', count=sr_count)}</h3>
   <ul class="subreddits">
   %for sr in thing.srs:
     <li data-name="${sr.name}">
diff --git a/r2/r2/templates/newlink.html b/r2/r2/templates/newlink.html
index 217da6e6d..23d94225c 100644
--- a/r2/r2/templates/newlink.html
+++ b/r2/r2/templates/newlink.html
@@ -23,7 +23,7 @@
 <%!
    from r2.lib.strings import strings
    from r2.lib.pages import SubredditSelector, UserText
-   from r2.lib.template_helpers import add_sr, _ws
+   from r2.lib.template_helpers import add_sr, _wsf, format_html
    from r2.lib.filters import safemarkdown
 %>
 
@@ -32,12 +32,12 @@
 
 <%
   if thing.default_sr:
-    sr = "&#32;" + _a_buffered(thing.default_sr.name, href=thing.default_sr.path)
+    sr = format_html("&#32;%s", unsafe(_a_buffered(thing.default_sr.name, href=thing.default_sr.path)))
   else:
-    sr = _ws("reddit")
+    sr = _("reddit")
 %>
 
-<h1>${unsafe(_ws("submit to %(sr)s") % dict(sr=sr))}</h1>
+<h1>${_wsf("submit to %(sr)s", sr=sr)}</h1>
 
 <%utils:submit_form onsubmit="return post_form(this, 'submit', linkstatus, null, true)" 
                     action=${add_sr("/submit")},
@@ -107,7 +107,7 @@ ${thing.formtabs_menu}
 
 <div class="spacer">
     <div class="submit_text roundfield">
-        <h1>${unsafe(_ws('submitting to %(sr)s') % dict(sr='/r/<span class="sr"></span>'))}</h1>
+        <h1>${_wsf('submitting to %(sr)s', sr=unsafe('/r/<span class="sr"></span>'))}</h1>
         <span class="content">
             %if thing.default_sr and thing.default_sr.submit_text:
                 ${unsafe(safemarkdown(thing.default_sr.submit_text))}
diff --git a/r2/r2/templates/oauth2authorization.html b/r2/r2/templates/oauth2authorization.html
index a070d289b..d28b7bcbe 100644
--- a/r2/r2/templates/oauth2authorization.html
+++ b/r2/r2/templates/oauth2authorization.html
@@ -23,7 +23,7 @@
 <%!
    import datetime
    from r2.models import OAuth2AccessToken
-   from r2.lib.template_helpers import static, make_url_protocol_relative, _ws
+   from r2.lib.template_helpers import static, make_url_protocol_relative, _wsf, format_html
 %>
 <%namespace file="clientinfobar.html" import="app_link" />
 <%namespace file="prefapps.html" import="scope_details" />
@@ -32,8 +32,8 @@
      icon = make_url_protocol_relative(thing.client.icon_url)
    else:
      icon = static("defaultapp.png")
-   app_name = (
-       "<!-- SC_OFF --> <b>%s</b> <!-- SC_ON -->" % websafe(thing.client.name))
+   app_name = format_html(
+       "<!-- SC_OFF --> <b>%s</b> <!-- SC_ON -->", thing.client.name)
 %>
 <div class="content oauth2-authorize">
   <div class="icon">
@@ -42,18 +42,16 @@
     &nbsp;
   </div>
   <h1>
-    ${unsafe(_ws("%(app)s requests to connect with your reddit account.")
-             % dict(app=app_link(thing.client)))}
+    ${_wsf("%(app)s requests to connect with your reddit account.",
+           app=unsafe(app_link(thing.client)))}
   </h1>
   <div class="access">
     <div class="access-permissions">
-        <h2>${unsafe(_ws("Allow %(app)s to:") % dict(app=app_name))}</h2>
+        <h2>${_wsf("Allow %(app)s to:", app=app_name)}</h2>
         ${scope_details(thing.scope, expiration=thing.expiration)}
     </div>
     <p class="notice">
-        ${unsafe(
-            _ws("%(app)s will not be able to access your reddit password.")
-            % dict(app=app_name))}
+        ${_wsf("%(app)s will not be able to access your reddit password.", app=app_name)}
     </p>
     <form method="post" action="/api/v1/authorize" class="pretty-form">
       <input type="hidden" name="client_id" value="${thing.client._id}" />
diff --git a/r2/r2/templates/prefoptions.html b/r2/r2/templates/prefoptions.html
index ecdb45308..a919e00e9 100644
--- a/r2/r2/templates/prefoptions.html
+++ b/r2/r2/templates/prefoptions.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%!
-   from r2.lib.template_helpers import add_sr, _ws
+   from r2.lib.template_helpers import add_sr, _wsf, format_html
    from r2.lib.utils import UrlParser
    import random
 %>
@@ -171,15 +171,14 @@
          <span class="little gray">${_("(except my own)")}</span>
       </p>
       <p>
-        ${unsafe(_ws("display %(num)s links at once") % \
-        dict(num=capture(link_options)))}
+        ${_wsf("display %(num)s links at once", num=unsafe(capture(link_options)))}
       </p>
       <%
-         input = capture(num_input, c.user.pref_min_link_score,
-         'min_link_score')
+         input = unsafe(capture(num_input, c.user.pref_min_link_score,
+         'min_link_score'))
          %>
       <p>
-      ${unsafe(_ws("don't show me submissions with a score less than %(num)s") % dict(num = input))}
+      ${_wsf("don't show me submissions with a score less than %(num)s", num=input)}
       &#32;<span class="little gray">${_("(leave blank to show all submissions)")}</span>
       </p>
     </td>
@@ -188,21 +187,20 @@
     <th>${_("comment options")}</th>
     <td class="prefright">
     <% 
-       input = capture(num_input, c.user.pref_min_comment_score,
-                       'min_comment_score')
+       input = unsafe(capture(num_input, c.user.pref_min_comment_score,
+                              'min_comment_score'))
        %>
     <p>
-      ${unsafe(_ws("don't show me comments with a score less than %(num)s") % dict(num = input))}
+      ${_wsf("don't show me comments with a score less than %(num)s", num=input)}
       &#32;<span class="little gray">${_("(leave blank to show all comments)")}</span>
     </p>
     <p>
       <% 
-       input = capture(num_input, c.user.pref_num_comments,
-       'num_comments')
+       input = unsafe(capture(num_input, c.user.pref_num_comments,
+                              'num_comments'))
        %>
     <% s = c.user.pref_num_comments %>
-    ${unsafe(_ws("display %(num)s comments by default") % \
-    dict(num = input))}
+    ${_wsf("display %(num)s comments by default", num=input)}
     &#32;
     <span class="little gray">
       (1 - ${g.max_comments});
@@ -275,10 +273,10 @@
       &#32;
       <span class="little gray">
         <%
-           link1 = "&#32;<a href='/user/%s/liked'>/user/%s/liked</a>&#32;" % (c.user.name, c.user.name)
-           link2 = "&#32;<a href='/user/%s/disliked'>/user/%s/disliked</a>" % (c.user.name, c.user.name)
+           link1 = format_html('&#32;<a href="/user/%s/liked">/user/%s/liked</a>&#32;', c.user.name, c.user.name)
+           link2 = format_html('&#32;<a href="/user/%s/disliked">/user/%s/disliked</a>', c.user.name, c.user.name)
            %>
-        (${unsafe(_ws("let everyone see %(link1)s and %(link2)s") % dict(link1=link1, link2=link2))})
+        (${_wsf("let everyone see %(link1)s and %(link2)s", link1=link1, link2=link2)})
       </span>
       <br/>
       ${checkbox(_("allow my data to be used for research purposes"), "research")}
@@ -324,8 +322,8 @@
           (${_("we'll remember your visits for 48 hours and show you which comments you haven't seen yet")})
         </span>
         <br><br>
-        <% creddit_link = '&#32;<a href="/creddits">creddit</a>&#32;' %>
-        ${checkbox(unsafe(_ws("use a %(creddit_link)s to automatically renew my gold if it expires") % dict(creddit_link=creddit_link)), "creddit_autorenew")}
+        <% creddit_link = unsafe('&#32;<a href="/creddits">creddit</a>&#32;') %>
+        ${checkbox(_wsf("use a %(creddit_link)s to automatically renew my gold if it expires", creddit_link=creddit_link), "creddit_autorenew")}
     </td>
   </tr>
   %endif
diff --git a/r2/r2/templates/promotedlinktraffic.html b/r2/r2/templates/promotedlinktraffic.html
index f84aa1e02..a84abe332 100644
--- a/r2/r2/templates/promotedlinktraffic.html
+++ b/r2/r2/templates/promotedlinktraffic.html
@@ -26,7 +26,7 @@
 <%!
     from r2.lib.strings import strings
     from r2.lib.filters import safemarkdown
-    from r2.lib.template_helpers import format_number, js_timestamp, _ws
+    from r2.lib.template_helpers import format_number, js_timestamp, format_html
 %>
 
 <%def name="make_traffic_table()">
@@ -83,13 +83,13 @@
   %if thing.prev or thing.next:
     <p class="nextprev"> ${_("view more:")}&#32;
     %if thing.prev:
-      ${plain_link(unsafe("&lsaquo; " + _ws("prev")), thing.prev, _sr_path=False, rel="nofollow prev")}
+      ${plain_link(format_html("&lsaquo; %s", _("prev")), thing.prev, _sr_path=False, rel="nofollow prev")}
     %endif
     %if thing.prev and thing.next:
       <span class="separator"></span>
     %endif
     %if thing.next:
-      ${plain_link(unsafe(_ws("next") + " &rsaquo;"), thing.next,  _sr_path=False, rel="nofollow next")}
+      ${plain_link(format_html("%s &rsaquo;", _("next")), thing.next,  _sr_path=False, rel="nofollow next")}
     %endif
     </p>
   %endif
diff --git a/r2/r2/templates/spotlightlisting.html b/r2/r2/templates/spotlightlisting.html
index acb8ec8bc..7a05bf055 100644
--- a/r2/r2/templates/spotlightlisting.html
+++ b/r2/r2/templates/spotlightlisting.html
@@ -24,7 +24,7 @@
 <%namespace file="utils.html" import="tags, text_with_links, classes"/>
 <%
    import json
-   from r2.lib.template_helpers import static, _ws
+   from r2.lib.template_helpers import static, format_html
    from r2.lib.wrapped import Templated
 %>
 
@@ -68,7 +68,7 @@
         <p>
           ${text_with_links(
             _("Use of this tool is open to all members of reddit.com, and for as little as %(price)s you can advertise in this area. %%(get_started)s") % dict(price=format_currency(g.min_promote_bid, 'USD', locale=c.locale)),
-              get_started=dict(link_text=unsafe(_ws("Get started") + " &rsaquo;"), path="/advertising")
+              get_started=dict(link_text=format_html("%s &rsaquo;", _("Get started")), path="/advertising")
           )}
         </p>
       </div>
diff --git a/r2/r2/templates/subreddittopbar.html b/r2/r2/templates/subreddittopbar.html
index 2a917cce9..fa9c8b3f8 100644
--- a/r2/r2/templates/subreddittopbar.html
+++ b/r2/r2/templates/subreddittopbar.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%!
-   from r2.lib.template_helpers import _ws
+   from r2.lib.template_helpers import format_html
 %>
 <%namespace file="utils.html" import="plain_link"/>
 
@@ -41,7 +41,7 @@
       %>
     </div>
 
-    ${plain_link(unsafe(_ws(editmore) + " &raquo;"),
+    ${plain_link(format_html("%s &raquo;", _(editmore)),
                  "/subreddits/", id="sr-more-link")}
   </div>
 </div>
diff --git a/r2/r2/templates/tablelisting.html b/r2/r2/templates/tablelisting.html
index 03d2c8042..193b4a72b 100644
--- a/r2/r2/templates/tablelisting.html
+++ b/r2/r2/templates/tablelisting.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%!
-   from r2.lib.template_helpers import _ws
+   from r2.lib.template_helpers import format_html
    from r2.models import Sub
  %>
 <%namespace file="utils.html" import="plain_link" />
@@ -51,13 +51,13 @@
   %if thing.prev:
     ${plain_link(_("first"), thing.first, _sr_path = (c.site != Sub), rel="nofollow first")}
     <span class="separator"></span>
-    ${plain_link(unsafe("&lsaquo; " + _ws("prev")), thing.prev, _sr_path = (c.site != Sub), rel="nofollow prev")}
+    ${plain_link(format_html("&lsaquo; %s", _("prev")), thing.prev, _sr_path = (c.site != Sub), rel="nofollow prev")}
   %endif
   %if thing.prev and thing.next:
     <span class="separator"></span>
   %endif
   %if thing.next:
-  ${plain_link(unsafe(_ws("next") + " &rsaquo;"), thing.next,  _sr_path = (c.site != Sub), rel="nofollow next")}
+  ${plain_link(format_html("%s &rsaquo;", _("next")), thing.next,  _sr_path = (c.site != Sub), rel="nofollow next")}
   %endif
   </p>
 %endif
diff --git a/r2/r2/templates/userlisting.html b/r2/r2/templates/userlisting.html
index 02de83943..f05c27365 100644
--- a/r2/r2/templates/userlisting.html
+++ b/r2/r2/templates/userlisting.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%!
-   from r2.lib.template_helpers import _ws
+   from r2.lib.template_helpers import format_html
    from r2.models import Sub
  %>
 <%namespace file="utils.html" import="error_field, plain_link" />
@@ -106,13 +106,13 @@
   %if thing.prev:
     ${plain_link(_("first"), thing.first, _sr_path = (c.site != Sub), rel="nofollow first")} 
     <span class="separator"></span>
-    ${plain_link(unsafe("&lsaquo; " + _ws("prev")), thing.prev, _sr_path = (c.site != Sub), rel="nofollow prev")}
+    ${plain_link(format_html("&lsaquo; %s", _("prev")), thing.prev, _sr_path = (c.site != Sub), rel="nofollow prev")}
   %endif
   %if thing.prev and thing.next:
     <span class="separator"></span>
   %endif
   %if thing.next:
-  ${plain_link(unsafe(_ws("next") + " &rsaquo;"), thing.next,  _sr_path = (c.site != Sub), rel="nofollow next")}
+  ${plain_link(format_html("%s &rsaquo;", _("next")), thing.next,  _sr_path = (c.site != Sub), rel="nofollow next")}
   %endif
   </p>
 %endif
diff --git a/r2/r2/templates/utils.html b/r2/r2/templates/utils.html
index aa337cbee..3b158e347 100644
--- a/r2/r2/templates/utils.html
+++ b/r2/r2/templates/utils.html
@@ -24,7 +24,7 @@
    import json
    from r2.models import FakeSubreddit
    from r2.lib.filters import spaceCompress, unsafe, safemarkdown, jssafe
-   from r2.lib.template_helpers import add_sr, js_config, static, html_datetime, simplified_timesince, make_url_protocol_relative, _ws
+   from r2.lib.template_helpers import add_sr, js_config, static, html_datetime, simplified_timesince, make_url_protocol_relative
    from r2.lib.utils import cols, long_datetime
    from r2.lib import tracking
    from datetime import datetime
@@ -315,7 +315,7 @@ ${unsafe(txt)}
                  onchange="$(this).next().prop('disabled', false); ${onchange}"/>
           <button id="submit-img" class="submit-img primary-button"
                   type="submit" name="upload" 
-                  onclick="$(this).siblings('.img-status').show().html('${jssafe(_('uploading'))}'); return true;"
+                  onclick="$(this).siblings('.img-status').show().text('${jssafe(_('uploading'))}'); return true;"
                   disabled>
             ${_('upload')}
           </button>
diff --git a/r2/r2/templates/widgetdemopanel.html b/r2/r2/templates/widgetdemopanel.html
index d78a758de..824597d12 100644
--- a/r2/r2/templates/widgetdemopanel.html
+++ b/r2/r2/templates/widgetdemopanel.html
@@ -21,7 +21,7 @@
 ###############################################################################
 
 <%!
-   from r2.lib.template_helpers import get_domain, _ws
+   from r2.lib.template_helpers import get_domain, _wsf
 %>
 
 <% 
@@ -157,11 +157,11 @@ function update() {
          </p>
          <p>
           <input type="radio" name="which" value="one" onclick="update()" /> 
-           ${unsafe(_ws("links %(submitted_by)s the user %(who)s") % dict(submitted_by = where2(), who = text_input("who")))}
+           ${_wsf("links %(submitted_by)s the user %(who)s", submitted_by=unsafe(where2()), who=unsafe(text_input("who")))}
          </p>
          <p>
            <input type="radio" name="which" value="two" onclick="update()" /> 
-          ${unsafe(_ws("links from the domain %(domain)s") % dict(domain = text_input("domain")))}
+          ${_wsf("links from the domain %(domain)s", domain=unsafe(text_input("domain")))}
          </p>
        </td>
      </tr>
@@ -178,10 +178,10 @@ function update() {
              <option value="top">${_("top")}</option>
            </select>
            </%def>
-           ${unsafe(_ws("sort links by %(what)s") % dict(what = what()))}
+           ${_wsf("sort links by %(what)s", what=unsafe(what()))}
          </p>
          <p>
-           ${unsafe(_ws("date range includes %(when)s") % dict(when = when()))}
+           ${_wsf("date range includes %(when)s", when=unsafe(when()))}
          </p>
          <p>
            ${_("number of links to show")}: