id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 23561,Can unauthorized JS execution happen in quoted & escaped HTML class name?,djbug,nobody,"According to https://docs.djangoproject.com/en/1.7/topics/security/ If var is set to 'class1 onmouseover=javascript:func()', this can result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML. If `var` is escaped and the class attribute is in quotes, how can JS execution happen? The previous version of docs i.e. https://docs.djangoproject.com/en/1.6/topics/security/ & before didn't have quotes around `{{var}}` and that made sense as you switch out of the attribute context with many characters. Is this a typo in the docs for 1.7 or is it implied that the invalid characters in class name *may* cause a security exception in some obscure browser that might close the class context. Is this a known security issue in any browser?",Uncategorized,new,Uncategorized,1.7,Normal,,,,Unreviewed,0,0,0,0,0,0