diff --git a/src/main/java/com/samskivert/mustache/Escapers.java b/src/main/java/com/samskivert/mustache/Escapers.java index a380b67..b8a8a1e 100644 --- a/src/main/java/com/samskivert/mustache/Escapers.java +++ b/src/main/java/com/samskivert/mustache/Escapers.java @@ -15,7 +15,9 @@ public class Escapers { "'", "'" }, { "\"", """ }, { "<", "<" }, - { ">", ">" } + { ">", ">" }, + { "`", "`" }, + { "=", "=" } }); /** An escaper that does no escaping. */ diff --git a/src/test/java/com/samskivert/mustache/SharedTests.java b/src/test/java/com/samskivert/mustache/SharedTests.java index 645aebe..6106934 100644 --- a/src/test/java/com/samskivert/mustache/SharedTests.java +++ b/src/test/java/com/samskivert/mustache/SharedTests.java @@ -283,10 +283,11 @@ public abstract class SharedTests extends GWTTestCase } @Test public void testEscapeHTML () { - check("<b>", Mustache.compiler().compile("{{a}}"). - execute(context("a", ""))); + check("<b>", Mustache.compiler().compile("{{a}}").execute(context("a", ""))); check("", Mustache.compiler().escapeHTML(false).compile("{{a}}"). execute(context("a", ""))); + // ensure that some potential XSS enablers are escaped + check("`=", Mustache.compiler().compile("{{a}}").execute(context("a", "`="))); } @Test public void testUserDefinedEscaping() {