From f3523d805f926998273ecb506d353d5fc30a1a3f Mon Sep 17 00:00:00 2001
From: David Baumgold <david@davidbaumgold.com>
Date: Mon, 20 May 2013 10:17:29 -0400
Subject: [PATCH] Escape section name in Backbone to prevent XSS

---
 cms/static/js/views/section.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cms/static/js/views/section.js b/cms/static/js/views/section.js
index c55a38ad38..9c29e51ddc 100644
--- a/cms/static/js/views/section.js
+++ b/cms/static/js/views/section.js
@@ -2,9 +2,9 @@ CMS.Views.SectionShow = Backbone.View.extend({
     template: _.template('<span data-tooltip="<%= tooltip %>" class="section-name-span"><%= name %></span>'),
     render: function() {
         var attrs = {
+            name: this.model.escape('name'),
             tooltip: gettext("Edit this section's name")
         };
-        attrs = $.extend(attrs, this.model.attributes);
         this.$el.html(this.template(attrs));
         this.delegateEvents();
         return this;
@@ -25,10 +25,10 @@ CMS.Views.SectionShow = Backbone.View.extend({
 CMS.Views.SectionEdit = Backbone.View.extend({
     render: function() {
         var attrs = {
+            name: this.model.escape('name'),
             save: gettext("Save"),
             cancel: gettext("Cancel")
         };
-        attrs = $.extend(attrs, this.model.attributes);
         this.$el.html(this.template(attrs));
         this.delegateEvents();
         return this;