N/A

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function of backbone 0.3.3 and earlier, if a user is able to supply input. This is due to the regex that's replacing things to miss the conversion of things such as `<` to `<`.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

backbone.js 跨站脚本漏洞

backbone.js是开源的一套JavaScript框架与RESTful JSON的应用程序接口。也是一套大致上符合MVC架构的编程范型。Backbone.js以轻量为特色，只需依赖一套Javascript 库即可运行。常被用来开发单页的互联网应用程序，以及用来维护网络应用程序的各种部分的同步。 backbone.js 0.3.3及之前版本中的‘Model#Escape’函数存在跨站脚本漏洞，该漏洞源于用于编码元字符的正则表达式没有将XML实体（例如：<）考虑在内。远程攻击者可利用该漏洞注入任意的Web

N/A

N/A