Description of problem:
The search bar code for emitting the "search object" onto the page (JS object defining all possible search fields, operations, and values) does not correctly escape </script> tags appearing in string literals.
If the admin defines a key type or arch containing </script>... it will appear unescaped in the page.
Basically a dupe of bug 1209736 because the search bar code is not using tg.to_json like everything else.
Version-Release number of selected component (if applicable):
affects all Beaker versions since 2011 or earlier
How reproducible:
with admin access
Steps to Reproduce:
1. As an admin, add a key type: <script>alert('xss')</script>
2. Go to the systems page
Actual results:
'xss' alert appears. </script> is unescaped inside the JS string literal.
Expected results:
</script> is escaped correctly.