XSS in js render

[justinhohner]

If you edit the lemon description to be:
"); alert('THINE HOLY RINDS FILL THE WORLD WITH JOY') //

you get a nice alert box! I checked with a couple of tools (brakeman and ZAP) but it doesn't show up.

[justinhohner]

To get the XSS to execute in HTML rather than js

</a><img src='' />