Bug fix: do not escape & in ' entity for apostrophe

The fix consists in adding #? in the negative look-ahead expected to reject
entity references:
  &          // character '&'
  (?!        // not followed by
    #?       //   an optional # (numerical entity), followed by
    \w+      //   a word, followed by
    ;        //   character ';'
  )

instead of
  &          // character '&'
  (?!        // not followed by
    \w+      //   a word, followed by
    ;        //   character ';'
  )

mustache.js

@@ -44,7 +44,7 @@ var Mustache = function () {
   };
 
   function escapeHTML(string) {
-    return String(string).replace(/&(?!\w+;)|[<>"']/g, function (s) {
+    return String(string).replace(/&(?!#?\w+;)|[<>"']/g, function (s) {
       return escapeMap[s] || s;
     });
   }