While this isn't a Bokeh-specific issue or vulnerability, since web applications should always sanitize text input at the input stage, we will be making some changes to make this potential problem much less likely for people:
- Escape HTML/JS in all fields except CustomJS, custom HoverTool template, and Div widget, etc. as well as augment the documentation around these classes to stress that they transmit unescaped HTML/JS by design, and should never be used with unsanitized third party input.
- in ALL cases, fully escape the "</script>" string, since this is never appropriate in bokeh-generated output.
There is an issue you can track or discuss on here: