properly handle amperstands when HTML escaping

escapeExpression, when given a string like ">", was simply returning
">", not escaping the amperstand. This is incorrect, and makes it
impossible to have Handlebars properly escape a
string like "Escaped, <b> looks like: &lt;b&gt;"

If the intention of the user is to not escape these characters, then
{{{}}} or {{&}} should be used
This commit is contained in:
Brian Palmer
2012-02-29 11:25:51 -07:00
parent 24e04bad94
commit bd9a84a0b7
2 changed files with 4 additions and 1 deletions
+2 -1
View File
@@ -22,6 +22,7 @@ Handlebars.SafeString.prototype.toString = function() {
(function() {
var escape = {
"&": "&amp;",
"<": "&lt;",
">": "&gt;",
'"': "&quot;",
@@ -29,7 +30,7 @@ Handlebars.SafeString.prototype.toString = function() {
"`": "&#x60;"
};
var badChars = /&(?!\w+;)|[<>"'`]/g;
var badChars = /[&<>"'`]/g;
var possible = /[&<>"'`]/;
var escapeChar = function(chr) {
+2
View File
@@ -96,6 +96,8 @@ test("escaping expressions", function() {
shouldCompileTo("{{awesome}}", {awesome: "&\"'`\\<>"}, '&amp;&quot;&#x27;&#x60;\\&lt;&gt;',
"by default expressions should be escaped");
shouldCompileTo("{{awesome}}", {awesome: "Escaped, <b> looks like: &lt;b&gt;"}, 'Escaped, &lt;b&gt; looks like: &amp;lt;b&amp;gt;',
"escaping should properly handle amperstands");
});
test("functions returning safestrings shouldn't be escaped", function() {