backbone@0.1.1 vulnerabilities

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON

backbone is the npm package for Backbone.js, which uses key-value binding and custom events to connects existing API over a RESTful JSON interface.

Backbone has a security control in its Escape function, which performs HTML encoding. However, the regex is incomplete, notably not properly handling cases such as HTML entities (e.g. not treating &#60 as <). HTML Entities are often overlooked by HTML Encoding security controls, you can read more detail about a similar one in the Marked package

This exposes a Cross-site Scripting (XSS) vulnerability if users can influence the input provided.

Upgrade to version 0.5.0 or higher.

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON

backbone is the npm package for Backbone.js, which uses key-value binding and custom events to connects existing API over a RESTful JSON interface.

Backbone has a security control in its Escape function, which performs HTML encoding. However, the regex is incomplete, notably not properly handling cases such as HTML entities (e.g. not treating &#60 as <). HTML Entities are often overlooked by HTML Encoding security controls, you can read more detail about a similar one in the Marked package

This exposes a Cross-site Scripting (XSS) vulnerability if users can influence the input provided.

Upgrade to version 0.5.0 or higher.

Potential XSS Exploit With User-Supplied Data in Model#escape

In applications that use the escape function, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS").

This vulnerability has not been assigned CVE identifier.