Merge pull request #530 from janl/improve-html-escaping

dasilvacontin · dasilvacontin · commit 34ebd1cb1aa7 · 2015-11-23T11:17:48.000Z
Improve HTML escaping
diff --git a/mustache.js b/mustache.js
@@ -63,11 +63,13 @@
     '>': '&gt;',
     '"': '&quot;',
     "'": '&#39;',
-    '/': '&#x2F;'
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;'
   };
 
   function escapeHtml (string) {
-    return String(string).replace(/[&<>"'\/]/g, function fromEntityMap (s) {
+    return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) {
       return entityMap[s];
     });
   }
diff --git a/test/_files/escaped.js b/test/_files/escaped.js
@@ -2,5 +2,5 @@
   title: function () {
     return "Bear > Shark";
   },
-  entities: "&quot; \"'<>/"
+  entities: "&quot; \"'<>`=/"
 })
diff --git a/test/_files/escaped.txt b/test/_files/escaped.txt
@@ -1,2 +1,2 @@
 <h1>Bear &gt; Shark</h1>
-And even &amp;quot; &quot;&#39;&lt;&gt;&#x2F;, but not &quot; "'<>/.
+And even &amp;quot; &quot;&#39;&lt;&gt;&#x60;&#x3D;&#x2F;, but not &quot; "'<>`=/.
