fix: BROS-664: Fix XSS via script injection in custom hotkeys

[nick-skriabin]

Addresses https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch

---

Note

Hardens client boot script against XSS from user.custom_hotkeys and adds a small templating utility.

• New Django template filter replace for simple substring replacement
• In base.html, escapes < and > in user.custom_hotkeys via |json_dumps_ensure_ascii|replace:"<|&lt;"|replace:">|&gt;"|safe before injecting into __customHotkeys

^{Written by Cursor Bugbot for commit c4839fc. This will update automatically on new commits. Configure here.}

[netlify]

✅ Deploy Preview for heartex-docs ready!

Name	Link
🔨 Latest commit	3cc7537
🔍 Latest deploy log	https://app.netlify.com/projects/heartex-docs/deploys/6952963b3d0ba600087d7c06
😎 Deploy Preview	https://deploy-preview-9084--heartex-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for label-studio-storybook ready!

Name	Link
🔨 Latest commit	3cc7537
🔍 Latest deploy log	https://app.netlify.com/projects/label-studio-storybook/deploys/6952963bc23e0000081f667e
😎 Deploy Preview	https://deploy-preview-9084--label-studio-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for label-studio-docs-new-theme ready!

Name	Link
🔨 Latest commit	3cc7537
🔍 Latest deploy log	https://app.netlify.com/projects/label-studio-docs-new-theme/deploys/6952963b841e2e00082a82bd
😎 Deploy Preview	https://deploy-preview-9084--label-studio-docs-new-theme.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for label-studio-playground ready!

Name	Link
🔨 Latest commit	3cc7537
🔍 Latest deploy log	https://app.netlify.com/projects/label-studio-playground/deploys/6952963b5585b3000888c206
😎 Deploy Preview	https://deploy-preview-9084--label-studio-playground.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.53%. Comparing base (49af3b8) to head (3cc7537).
⚠️ Report is 8 commits behind head on develop.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@             Coverage Diff              @@
##           develop    #9084       +/-   ##
============================================
+ Coverage    66.66%   81.53%   +14.86%     
============================================
  Files          832      271      -561     
  Lines        65129    24501    -40628     
  Branches     10988        0    -10988     
============================================
- Hits         43419    19976    -23443     
+ Misses       21706     4525    -17181     
+ Partials         4        0        -4     

Flag	Coverage Δ
lsf-e2e	?
lsf-integration	?
lsf-unit	?
pytests	81.53% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nick-skriabin]

@copilot review

[Copilot]

@nick-skriabin I've opened a new pull request, #9085, to work on those changes. Once the pull request is ready, I'll request review from you.

[niklub]

Cursor review

[cursor]

✅ Bugbot reviewed your changes and found no bugs!

[nick-skriabin]

/fmt

Workflow run