id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4131	addslashes isn't sufficient to protect literal strings in embedded JavaScript code	Ned Batchelder <ned@…>	Jacob	"When creating literal strings in embedded JavaScript code, the addslashes filter is used to escape characters significant to JavaScript:

   <script>
   var x = ""{{x|addslashes}}"";
   blah(x);
   </script>

But if the variable x includes the string ""</script>"", then this script block is ended too early, and the page is broken.

Attached is a patch that also escapes the </ sequence to ensure that this can't happen.
"		closed	Template system	dev		fixed		metajack@… me@… sam@…	Ready for checkin	1	0	0	0	0	0