I've made a PR to drop CoffeeScript from edx-platform. As part of that work, I noticed that some of the CoffeeScript files were getting a blanket exception from xss-lint.
I kept excluding the converted files from the xss-linter, with manual line disables. I didn't want to balloon the complexity of the conversion, and I wasn't making any actual changes in xss-linter coverage.
But I'm filing this ticket for someone go back and re-examine these long-ignored files and fix what we can or continue to exclude what we don't want to.
You should be able to search for the files I did this for by looking for the string "TODO: Examine all of the xss-lint exceptions". At the time of writing, it is these four files:
(Those paths pulled from my landing-soon PR.)