What version are you running?
What's the URL of the page containing the problem?
https://reviews.reviewboard.org/r/5570/diff/
What steps will reproduce the problem?
1. The name change to "</script><script>alert</scritp>".
2. Add comment for review diff.
3. When view diff, pop up alert.
What is the expected output? What do you see instead?
What operating system are you using? What browser?
Please provide any additional information below.
`{"name": "</script><script> alert(1)</script>"}` is valid josn.
But it output into script tag
```
<script>
var json = {"name": "</script><script> alert(1)</script>"};
</script>
```
same this
```
<script>
var json = {"name": "
</script>
<script> alert(1)</script>
"};</script>
```
https://code.google.com/p/reviewboard/source/browse/trunk/reviewboard/reviews/templatetags/reviewtags.py#154
https://code.google.com/p/reviewboard/source/browse/trunk/reviewboard/reviews/templatetags/reviewtags.py#202
I think the characters &, < and > should be escaped in result from simplejson.dumps, or use JSONEncoderForHTML.
https://github.com/simplejson/simplejson/blob/master/simplejson/encoder.py#L353