id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23561	Can unauthorized JS execution happen in quoted & escaped HTML class name?	djbug	nobody	"According to https://docs.djangoproject.com/en/1.7/topics/security/

    <style class=""{{ var }}"">...</style>

If var is set to 'class1 onmouseover=javascript:func()', this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML.

If `var` is escaped and the class attribute is in quotes, how can JS execution happen? 

The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?"	Uncategorized	new	Uncategorized	1.7	Normal				Unreviewed	0	0	0	0	0	0