id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
21731	"django.utils.text.javascript_quote does not escape ""</"" (without double quotes)"	Vajrasky Kok	Vajrasky Kok	"For the uninitiated, javascript_quote is useful if you want to add dynamic text to javascript.

Consider this case:

{{{
  <div id=""reviews""></div>
  <script type=""text/javascript"">
    $(""#reviews"").append(""{{ dynamic_text }}"");
  </script>
}}}


The dynamic text could be:

{{{
<a href='controller/action'>Action!</a>
}}}

So the relevant section of the template would be:

{{{
$(""#reviews"").append('<a href='controller/action'>Action!</a>');
}}}

As you can see the javascript code will break because of single quotes inside single quotes. But with javascript_quote, the relevant section of the template would be:

{{{$(""#reviews"").append('<a href=\'controller/action\'>Action!</a>');}}}

So all is well!

Well, not really. The javascript_quote only escapes carriage returns and single and double quotes and backslashes. But this is not enough. It needs to escape ""</"" (without double quotes) as well. Consider this case:

{{{$(""#reviews"").append('<script>alert(""Manly man loves cute cat"");</script>');}}}

The ""</script>"" (without double quotes) will break the javascript code. It is the closing tag of javascript code in html. In fact, Rails escapes ""</"" (without double quotes).
http://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html"	Bug	closed	Utilities	dev	Normal	fixed		sky.kok@… Rogério Yokomizo	Ready for checkin	1	0	0	0	0	0