Skip to content

E
edx-platform
Commit f3523d80 by David Baumgold
Options

Escape section name in Backbone to prevent XSS

parent bb0460cc
Showing with 2 additions and 2 deletions
cms/static/js/views/section.js
...@@ -2,9 +2,9 @@ CMS.Views.SectionShow = Backbone.View.extend({ ...@@ -2,9 +2,9 @@ CMS.Views.SectionShow = Backbone.View.extend({
template: _.template('<span data-tooltip="<%= tooltip %>" class="section-name-span"><%= name %></span>'), template: _.template('<span data-tooltip="<%= tooltip %>" class="section-name-span"><%= name %></span>'),
render: function() { render: function() {
var attrs = { var attrs = {
name: this.model.escape('name'),
tooltip: gettext("Edit this section's name") tooltip: gettext("Edit this section's name")
}; };
attrs = $.extend(attrs, this.model.attributes);
this.$el.html(this.template(attrs)); this.$el.html(this.template(attrs));
this.delegateEvents(); this.delegateEvents();
return this; return this;
...@@ -25,10 +25,10 @@ CMS.Views.SectionShow = Backbone.View.extend({ ...@@ -25,10 +25,10 @@ CMS.Views.SectionShow = Backbone.View.extend({
CMS.Views.SectionEdit = Backbone.View.extend({ CMS.Views.SectionEdit = Backbone.View.extend({
render: function() { render: function() {
var attrs = { var attrs = {
name: this.model.escape('name'),
save: gettext("Save"), save: gettext("Save"),
cancel: gettext("Cancel") cancel: gettext("Cancel")
}; };
attrs = $.extend(attrs, this.model.attributes);
this.$el.html(this.template(attrs)); this.$el.html(this.template(attrs));
this.delegateEvents(); this.delegateEvents();
return this; return this;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment