Fix XSS vulnerability in project selector (#3797)

* Fix XSS vulnerability in project selector

@getsentry/security

src/sentry/templatetags/sentry_api.py

@@ -21,7 +21,7 @@ def serialize(context, obj):
     else:
         user = None
 
-    return mark_safe(json.dumps(serialize_func(obj, user)))
+    return convert_to_json(serialize_func(obj, user), escape=True)
 
 
 @register.simple_tag
@@ -45,7 +45,7 @@ def serialize_detailed_org(context, obj):
         DetailedOrganizationSerializer(),
     )
 
-    return mark_safe(json.dumps(context))
+    return convert_to_json(context, escape=True)
 
 
 @register.simple_tag
@@ -62,4 +62,4 @@ def get_user_context(request, escape=False):
                 result['name'] = user.name
     else:
         result = {}
-    return mark_safe(json.dumps(result))
+    return convert_to_json(result, escape=True)

tests/sentry/templatetags/test_sentry_api.py

@@ -0,0 +1,22 @@
+from __future__ import absolute_import
+
+from django.template import Context, Template
+
+from sentry.testutils import TestCase
+
+
+class SerializeDetailedOrgTest(TestCase):
+    TEMPLATE = Template("""
+        {% load sentry_api %}
+        {% serialize_detailed_org org %}
+    """)
+
+    def test_escapes_js(self):
+        org = self.create_organization(name='<script>alert(1);</script>')
+
+        result = self.TEMPLATE.render(Context({
+            'org': org,
+        }))
+
+        assert '<script>' not in result
+        assert '&lt;script&gt;' in result