From 378bcca8a5cfe4058f294a3dbb78e8755e8e0da5 Mon Sep 17 00:00:00 2001
From: Phillip Johnsen <johphi@gmail.com>
Date: Tue, 17 Nov 2015 09:14:29 +0100
Subject: [PATCH] Improve HTML escaping.

This closes a couple of potential exploit scenarios.
Backtick (`) for older IEs and equals (=) for unquoted attributes.

Refs https://github.com/wycats/handlebars.js/commit/83b8e846a3569bd366cf0b6bdc1e4604d1a2077e
Closes https://github.com/janl/mustache.js/pull/388
---
 mustache.js             | 6 ++++--
 test/_files/escaped.js  | 2 +-
 test/_files/escaped.txt | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/mustache.js b/mustache.js
index 18706aecb..cad9ebb0a 100644
--- a/mustache.js
+++ b/mustache.js
@@ -63,11 +63,13 @@
     '>': '&gt;',
     '"': '&quot;',
     "'": '&#39;',
-    '/': '&#x2F;'
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;'
   };
 
   function escapeHtml (string) {
-    return String(string).replace(/[&<>"'\/]/g, function fromEntityMap (s) {
+    return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) {
       return entityMap[s];
     });
   }
diff --git a/test/_files/escaped.js b/test/_files/escaped.js
index cd77c1f49..e60095960 100644
--- a/test/_files/escaped.js
+++ b/test/_files/escaped.js
@@ -2,5 +2,5 @@
   title: function () {
     return "Bear > Shark";
   },
-  entities: "&quot; \"'<>/"
+  entities: "&quot; \"'<>`=/"
 })
diff --git a/test/_files/escaped.txt b/test/_files/escaped.txt
index c1527d510..182f99ee4 100644
--- a/test/_files/escaped.txt
+++ b/test/_files/escaped.txt
@@ -1,2 +1,2 @@
 <h1>Bear &gt; Shark</h1>
-And even &amp;quot; &quot;&#39;&lt;&gt;&#x2F;, but not &quot; "'<>/.
+And even &amp;quot; &quot;&#39;&lt;&gt;&#x60;&#x3D;&#x2F;, but not &quot; "'<>`=/.