peitschie
commented
10 years ago Dojo 1.10 has a lot of improvements around this area. E.g.: https://bugs.dojotoolkit.org/ticket/8995.
Upgrading to that and revisiting all the usages of text in Dojo will likely clear most of these up.
While we do sanitize the document for potential ways to run arbitrary code, such a measure is not implemented for the Dojo widgets.
Does ODF have restrictions on display-names of things that disallow HTML-like content? If not, we should enforce something such on our widgets. A pity dojo does not seem to do this by default.