Menu
I was doing some reading on Cross-Site Scripting (XSS) attacks today. It seems that Backbone has model.escape('attr') built in and from what I can tell that should always be used instead of model.get('attr') to prevent these attacks.
I did some initial searching but didn't find any recommendations of the sort. Should I always use model.escape('attr') when retrieving values from a model?
834
Using Underscore templates, I've generally seen/done it like this:
var TemplateHtml = "<div><%- someModelAttribute %></div>"; // Really, you should load from file using something like RequireJS
var View = Backbone.View.extend({
_template: _.template(TemplateHtml),
render: function() {
this.$el.html(this._template(this.model.toJSON()));
}
});
When you use <%- someModelAttribute %>, Underscore knows to escape the given values (as opposed to <%= someModelAttribute %> which injects the attribute directly without escaping).
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
