Severity: high

Cross-Site Scripting



Affected versions of backbone are vulnerable to cross-site scripting when users are allowed to supply input to the Model#Escape function, and the output is then written to the DOM.

The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take HTML Entities such as < into account.


Update to version 0.5.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    May 23rd, 2016
  2. reported

    Initial report by Unknown
    May 5th, 2016