What does/should Handlebars escaping escape?

[greaber]

All HTML escaping systems escape <, >, &, ', and ". The Handlebars docs say it also escapes , and a glance at the code suggests is escapes not only but also =. So it seems like the docs are wrong? Also, why escape ``` or =?

[kpdecker]

= was added recently and we missed adding that to the docs. There are possible XSS attacks that are mitigated by each of those escapes. Ex: #1083

We need to update the docs to include the = escape as well.

[greaber]

Yeah, I almost mentioned that I could see that escaping = seems like it would make it much less likely that forgetting to quote attribute values would lead to an exploit. But what is the ``` issue?

[kpdecker]

I believe that it's something specific to IE. If you look through the commit history on the repo you can track it down.

[greaber]

Yep, this article confirms that IE (at least through version 10, which was current when it was written) will treat ``` as a quoting character like ' and `"`.