backbone FAQ encourages an approach vulnerable to script injection

[timbertson]

Just a heads up that the advice at http://documentcloud.github.com/backbone/#FAQ-bootstrap is bad - a simple JSON encode leaves you open to javascript injection attacks for data that contains e.g "</script><script>[injected code]</script>".

You should actually do a json encode, then replace "<" with "</". At least for html, the rules for xhtml may be different. You can read more here:
http://stackoverflow.com/questions/779959/is-it-necessary-to-escape-character-and-for-javascript-string

Unfortunately, there seems to be no good name for this kind of encoding (maybe it's related to sgml?) so it's kinda hard to find information on the topic.

[braddunbar]

I agree that this type of escaping is very important and it gave me a great excuse to reread the post by Mathias Bynens. I'm not sure the details of this are within the scope of the FAQ, but maybe we could just mention it briefly?

[jashkenas]

Thanks for the heads up -- unfortunately, I'm a little less sensitive on these topics because all of my Backbone projects don't take in untrusted user data. @gfxmonk: Do you have a suggested simple revision to the FAQ example?

[timbertson]

I'd suggest replacing the current snippets with the slightly more unsightly:

model.to_json.gsub("</", "</")

And include a link beneath it along the lines of "(why is the gsub
important?)" going to that etago link brad posted for those that are
confused or wanting more info. Thanks for the link Brad, I hadn't seen it
before but it's very appropriate.

It'd be good if there were a standard ruby function to do the gsub for you,
but I don't know of any.

For the record, this stuff can still break a site with only trusted
content, if any of it smells like html tags. Probably not in an insecure
way, but broken is broken.