Ticket missed a few places where text needs to be escaped before embedded into HTML to prevent XSS attacks and markup errors. In each of the examples below, HTML should never be passed in and it is safe always escape the text to ensure any special characters are not mistaken as HTML by the browser.
The "meta" function's content variable.
The "meta" functions content variable when an array of structs:
Both places src is output in the "video" function
Both places src is output int he "audio" function
option "value" in the "options" function
Option name in the "options" function
JS and CSS includes in the "addAsset" function
The "value" parameter in the "textArea" function