Add single quote to list of characters escaped

[pinterface]

interpolation.yml states that only four characters are escaped: & " < >. It should also include the single quote '. (It should probably also explicitly state whether an implementation can escape additional characters and still remain spec-compliant.)

Not escaping the single quote means <tag attr='{{var}}'> is unsafe, in spite of being semantically equivalent to <tag attr="{{val}}"> which is safe. That's confusing and a recipe for exploits!

Such a change should largely be compatible with mustache-in-the-wild: a number of mustache implementations /already/ escape the single quote (at least in some cases), so any shop which uses mustache in multiple languages is unlikely to be relying on the non-escaped-single-quote:
Mustache.js: escapes single quotes.
mustache (ruby): uses CGI. CGI doesn't escape single quotes in Ruby 1.9.x, but does in Ruby 2.0.
pystache: Single quotes escaped as of Python 3.2.
mustache.go: Escapes single quotes (as '!).

[tchalvak]

+1 makes sense to me.

[nwhittaker]

+1

[dasilvacontin]

+1

[jgonggrijp]

This is still an omission as of 2023. I welcome a pull request to address this.

(My implementation, Wontache, escapes single quotes as well.)

[bobthecow]

I think this should be the default, but will require a major version change. Let's tag things with backwards compatibility breaks that we'd like to do anyway?

[jgonggrijp]

I would say "bugfix". Bug fixes are always breaking in a way, but we don't bump the major version for them, because the thing that stops working should not have worked in the first place.

I would be more hesitant with this stance if most implementations didn't escape single quotes yet. Given that the practice is already widespread, however, I feel this is just a fix for an omission.