This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
{ "binaries": [ { "binary_version": "1.11.4+dfsg-1", "binary_name": "libjs-jquery-datatables" } ] }
{ "binaries": [ { "binary_version": "1.11.5+dfsg-2", "binary_name": "libjs-jquery-datatables" } ] }
{ "binaries": [ { "binary_version": "1.10.11+dfsg-2", "binary_name": "libjs-jquery-datatables" } ] }
{ "binaries": [ { "binary_version": "1.10.16+dfsg-1", "binary_name": "libjs-jquery-datatables" } ] }
{ "binaries": [ { "binary_version": "1.10.20+dfsg-1", "binary_name": "libjs-jquery-datatables" } ] }