Home/ Questions/Q 9088839
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T21:59:40+00:00

I was doing some reading on Cross-Site Scripting (XSS) attacks today. It seems that

  • 0

I was doing some reading on Cross-Site Scripting (XSS) attacks today. It seems that Backbone has model.escape('attr') built in and from what I can tell that should always be used instead of model.get('attr') to prevent these attacks.

I did some initial searching but didn’t find any recommendations of the sort. Should I always use model.escape('attr') when retrieving values from a model?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Using Underscore templates, I’ve generally seen/done it like this:

    var TemplateHtml = "<div><%- someModelAttribute %></div>"; // Really, you should load from file using something like RequireJS

var View = Backbone.View.extend({
    _template: _.template(TemplateHtml),

    render: function() {
        this.$el.html(this._template(this.model.toJSON()));
    }
});

    When you use <%- someModelAttribute %>, Underscore knows to escape the given values (as opposed to <%= someModelAttribute %> which injects the attribute directly without escaping).

    • 0