From b8a14eafe9f260277ee03cc52c26901166045f81 Mon Sep 17 00:00:00 2001 From: Michael Jackson Date: Tue, 12 Jun 2012 14:51:43 -0700 Subject: [PATCH] Strict escaping of ampersands --- mustache.js | 2 +- test/_files/dot_notation.mustache | 4 ++-- test/_files/escaped.mustache | 2 +- test/_files/escaped.txt | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/mustache.js b/mustache.js index 0fef360..c5be0c9 100644 --- a/mustache.js +++ b/mustache.js @@ -63,7 +63,7 @@ var Mustache = (typeof module !== "undefined" && module.exports) || {}; }; function escapeHtml(string) { - return String(string).replace(/&(?!\w+;)|[<>"']/g, function (s) { + return String(string).replace(/[&<>"']/g, function (s) { return entityMap[s]; }); } diff --git a/test/_files/dot_notation.mustache b/test/_files/dot_notation.mustache index 138ddd0..f89d70b 100644 --- a/test/_files/dot_notation.mustache +++ b/test/_files/dot_notation.mustache @@ -1,8 +1,8 @@

{{name}}

Authors:

-

Price: {{price.currency.symbol}}{{price.value}} {{#price.currency}}{{name}} {{availability.text}}{{/price.currency}}

-

VAT: {{price.currency.symbol}}{{#price}}{{vat}}{{/price}}

+

Price: {{{price.currency.symbol}}}{{price.value}} {{#price.currency}}{{name}} {{availability.text}}{{/price.currency}}

+

VAT: {{{price.currency.symbol}}}{{#price}}{{vat}}{{/price}}

Test truthy false values:

Zero: {{truthy.zero}}

diff --git a/test/_files/escaped.mustache b/test/_files/escaped.mustache index ea25951..93e800b 100644 --- a/test/_files/escaped.mustache +++ b/test/_files/escaped.mustache @@ -1,2 +1,2 @@

{{title}}

-But not {{entities}}. +And even {{entities}}, but not {{{entities}}}. diff --git a/test/_files/escaped.txt b/test/_files/escaped.txt index 73ac5ce..2c3ad1f 100644 --- a/test/_files/escaped.txt +++ b/test/_files/escaped.txt @@ -1,2 +1,2 @@

Bear > Shark

-But not ". +And even &quot;, but not ".