From 82c288c91e9c3781e3afeedf1aa30626e6f9a788 Mon Sep 17 00:00:00 2001
From: Francis <wizard@roborooter.com>
Date: Sat, 7 May 2011 22:47:35 -0700
Subject: [PATCH] Following recommendations from the OWASP
 https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Should be tested with
http://ha.ckers.org/xss.html

Make sure your pages are utf8!
---
 backbone.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backbone.js b/backbone.js
index 7ec5d484..795b48b3 100644
--- a/backbone.js
+++ b/backbone.js
@@ -1094,7 +1094,7 @@
 
   // Helper function to escape a string for HTML rendering.
   var escapeHTML = function(string) {
-    return string.replace(/&(?!\w+;|#\d+;|#x[\da-f]+;)/gi, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+    return string.replace(/&(?!\w+;|#\d+;|#x[\da-f]+;)/gi, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#x27').replace(/\//g,'&#x2F;');
   };
 
 }).call(this);