Inline JavaScript isn't properly escaped

[avernet]

To reproduce run this XForms, and notice the \n \n \n \n \n"}]}; at the top of the page. Looking at the source sent to the browser, you'll notice that the script is ended prematurely, because of a </script> in a string.

One possible solution would be have the content of the inline script protected by a CDATA section, but somehow the specific ForwardingXMLReceiver we have here has forwardLexical set to false. We could figure out to set it true, but risk having to deal with other handlers down the stream that don't properly propagate the startCDATA() and endCDATA(), so instead it seems simpler to avoid the use of CDATA and use escaping. We could escape specifically the value of the value property in orbeonInitData, but since we have other inline scripts where this problem can also occur, and since this technique seems safe, it seems safer to just escape the whole script.

+1 from community