Improve HTML escaping.

phillipj · phillipj · commit 378bcca8a5cf · 2015-11-17T09:14:32.000+01:00
This closes a couple of potential exploit scenarios. Backtick (`) for older IEs and equals (=) for unquoted attributes. Refs handlebars-lang/handlebars.js@83b8e84 Closes #388
diff --git a/mustache.js b/mustache.js
@@ -63,11 +63,13 @@
     '>': '&gt;',
     '"': '&quot;',
     "'": '&#39;',
-    '/': '&#x2F;'
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;'
   };
 
   function escapeHtml (string) {
-    return String(string).replace(/[&<>"'\/]/g, function fromEntityMap (s) {
+    return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) {
       return entityMap[s];
     });
   }
diff --git a/test/_files/escaped.js b/test/_files/escaped.js
@@ -2,5 +2,5 @@
   title: function () {
     return "Bear > Shark";
   },
-  entities: "&quot; \"'<>/"
+  entities: "&quot; \"'<>`=/"
 })
diff --git a/test/_files/escaped.txt b/test/_files/escaped.txt
@@ -1,2 +1,2 @@
 <h1>Bear &gt; Shark</h1>
-And even &amp;quot; &quot;&#39;&lt;&gt;&#x2F;, but not &quot; "'<>/.
+And even &amp;quot; &quot;&#39;&lt;&gt;&#x60;&#x3D;&#x2F;, but not &quot; "'<>`=/.

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`<h1>Bear > Shark</h1>`
`2`		`-And even &quot; "'<>/, but not " "'<>/.`
	`2`	+And even &quot; "'<>`=/, but not " "'<>`=/.