Ruby on Rails: XSS due to incomplete JS escaping

ActionView::Helpers::JavaScriptHelper inside rails/actionview/lib/actionview/helpers/javascripthelper.rb provides JS escaping in Rails, but fails to protect template literal strings. As such, there are two ways XSS can occur: XSS via template literal break out: 1 Create a view with the following...