Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Escape section name in Backbone to prevent XSS

Browse Source
This commit is contained in:
David Baumgold
2013-05-20 10:17:29 -04:00
parent bb0460cc0d
commit f3523d805f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cms/static/js/views/section.js
View File

@@ -2,9 +2,9 @@ CMS.Views.SectionShow = Backbone.View.extend({
template: _.template('<span data-tooltip="<%= tooltip %>" class="section-name-span"><%= name %></span>'),
render: function() {
var attrs = {
name: this.model.escape('name'),
tooltip: gettext("Edit this section's name")
};
attrs = $.extend(attrs, this.model.attributes);
this.$el.html(this.template(attrs));
this.delegateEvents();
return this;
@@ -25,10 +25,10 @@ CMS.Views.SectionShow = Backbone.View.extend({
CMS.Views.SectionEdit = Backbone.View.extend({
render: function() {
var attrs = {
name: this.model.escape('name'),
save: gettext("Save"),
cancel: gettext("Cancel")
};
attrs = $.extend(attrs, this.model.attributes);
this.$el.html(this.template(attrs));
this.delegateEvents();
return this;