id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
7177	Expand and modify escaping of JavaScript strings in the escapejs filter	Mike Wiacek <mjwiacek@…>	nobody	The escapejs filter currently escapes a small subset of characters to prevent JavaScript injection.  However, the resulting strings can still contain valid HTML, leading to XSS vulnerabilities. Using hex encoding as opposed to backslash escaping, effectively prevents Javascript injection and also helps prevent XSS.  Attached is a small patch that modifies the _js_escapes tuple to use hex encoding on an expanded set of characters.		closed	Template system	dev		fixed	aug22sprint		Accepted	1	0	0	1	0	0