id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 23561,Can unauthorized JS execution happen in quoted & escaped HTML class name?,djbug,nobody,"According to https://docs.djangoproject.com/en/1.7/topics/security/ If var is set to 'class1 onmouseover=javascript:func()', this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML. If `var` is escaped and the class attribute is in quotes, how can JS execution happen? The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense (i.e. unquoted attributes are unsafe). However in v 1.7, is this a typo in the or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?",Uncategorized,closed,Documentation,1.7,Normal,fixed,,,Accepted,0,0,0,0,0,0