From 9f8937bd69c1ad8166bc814799c23c0ddc52793f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eric=20Br=C3=A9chemier?= <eric@bezen.org>
Date: Mon, 20 Feb 2012 10:43:54 +0100
Subject: [PATCH] Revert "Use '&apos;' instead of '&#39;', which showed in
 template output"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As reported by Chad Weider (Thanks!), the apostrophe should not be escaped as
"&apos;" in HTML documents, but using a numeric entity "&#39;" or "&#x27".

Unlike "&quot;", "&apos;" has not beed defined in the W3C Recommendation
for HTML 4 [1].

References:

[1] HTML 4.01 Specification
§24.4.1 The list of characters
http://www.w3.org/TR/html4/sgml/entities.html#h-24.3.1

[2] Why shouldn't `&apos;` be used to escape single quotes?
http://stackoverflow.com/questions/2083754
  /why-shouldnt-apos-be-used-to-escape-single-quotes

[3] OWASP - The Open Web Application Security Project
RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
"&apos; is not recommended"
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

See details of the discussion on Github issue tracker:
https://github.com/janl/mustache.js/pull/166

This reverts commit e20cee5f3e102be48e9be0575c71278178190d48.

Conflicts:

	mustache.js
---
 mustache.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mustache.js b/mustache.js
index 929f397..28bed23 100644
--- a/mustache.js
+++ b/mustache.js
@@ -40,7 +40,7 @@ var Mustache = function () {
     "<": "&lt;",
     ">": "&gt;",
     '"': '&quot;',
-    "'": '&apos;'
+    "'": '&#39;'
   };
 
   function escapeHTML(string) {