id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31466	A potential improvement in the Django template filter `escapejs`	Phithon	Phithon	"Hi, I recently encountered a problem that is related to Django, I think I should report and discuss with you.

As I know, `escapejs` is a helpful template filter which can protect us from XSS attack in Javascript string like this:

{{{
<script>
    function example() {
        query = '{{ request.GET.q | escapejs }}';
    }
</script>
}}}

But there is usually a situation, as time goes on, someone thinks this function is not used anymore and comments it out:

{{{
<script>
    /*
    function example() {
        query = '{{ request.GET.q | escapejs }}';
    }
    */
</script>
}}}

Oops, A XSS vulnerability is introduced. The attackers can trigger arbitrary javascript execution by the request {{{http://example.com/?q=*/(alert(1))/*}}}

It's not a Django security bug but I also suggest making the `/` and `*` escaped in the `escapejs` filter."	New feature	closed	Template system	3.0	Normal	wontfix	escapejs		Unreviewed	0	0	0	0	0	0