New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
backbone FAQ encourages an approach vulnerable to script injection #1034
Comments
I agree that this type of escaping is very important and it gave me a great excuse to reread the post by Mathias Bynens. I'm not sure the details of this are within the scope of the FAQ, but maybe we could just mention it briefly? |
Thanks for the heads up -- unfortunately, I'm a little less sensitive on these topics because all of my Backbone projects don't take in untrusted user data. @gfxmonk: Do you have a suggested simple revision to the FAQ example? |
I'd suggest replacing the current snippets with the slightly more unsightly: model.to_json.gsub("</", "</") And include a link beneath it along the lines of "(why is the gsub It'd be good if there were a standard ruby function to do the gsub for you, For the record, this stuff can still break a site with only trusted |
Prevent javascript injection attacks when bootstrapping data #1034
Just a heads up that the advice at http://documentcloud.github.com/backbone/#FAQ-bootstrap is bad - a simple JSON encode leaves you open to javascript injection attacks for data that contains e.g "</script><script>[injected code]</script>".
You should actually do a json encode, then replace "<" with "</". At least for html, the rules for xhtml may be different. You can read more here:
http://stackoverflow.com/questions/779959/is-it-necessary-to-escape-character-and-for-javascript-string
Unfortunately, there seems to be no good name for this kind of encoding (maybe it's related to sgml?) so it's kinda hard to find information on the topic.
The text was updated successfully, but these errors were encountered: