Escape section name in Backbone to prevent XSS

f3523d80 · David Baumgold · bb0460cc · f3523d80
Commit f3523d80 authored May 20, 2013 by David Baumgold
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

cms/static/js/views/section.js
+2 -2

No files found.
--- a/cms/static/js/views/section.js
+++ b/cms/static/js/views/section.js
@@ -2,9 +2,9 @@ CMS.Views.SectionShow = Backbone.View.extend({
    template: _.template('<span data-tooltip="<%= tooltip %>" class="section-name-span"><%= name %></span>'),
    render: function() {
        var attrs = {
+            name: this.model.escape('name'),
            tooltip: gettext("Edit this section's name")
        };
-        attrs = $.extend(attrs, this.model.attributes);
        this.$el.html(this.template(attrs));
        this.delegateEvents();
        return this;
@@ -25,10 +25,10 @@ CMS.Views.SectionShow = Backbone.View.extend({
 CMS.Views.SectionEdit = Backbone.View.extend({
    render: function() {
        var attrs = {
+            name: this.model.escape('name'),
            save: gettext("Save"),
            cancel: gettext("Cancel")
        };
-        attrs = $.extend(attrs, this.model.attributes);
        this.$el.html(this.template(attrs));
        this.delegateEvents();
        return this;