Escape ` and = when escaping HTML.

They can be used for nefarious purposes on old IEs.

Refs wycats/handlebars.js@83b8e84
This commit is contained in:
Michael Bayne
2015-12-24 13:48:07 -08:00
parent ed15294419
commit 9eda17f85b
2 changed files with 6 additions and 3 deletions
@@ -15,7 +15,9 @@ public class Escapers
{ "'", "'" },
{ "\"", """ },
{ "<", "&lt;" },
{ ">", "&gt;" }
{ ">", "&gt;" },
{ "`", "&#x60;" },
{ "=", "&#x3D;" }
});
/** An escaper that does no escaping. */
@@ -283,10 +283,11 @@ public abstract class SharedTests extends GWTTestCase
}
@Test public void testEscapeHTML () {
check("&lt;b&gt;", Mustache.compiler().compile("{{a}}").
execute(context("a", "<b>")));
check("&lt;b&gt;", Mustache.compiler().compile("{{a}}").execute(context("a", "<b>")));
check("<b>", Mustache.compiler().escapeHTML(false).compile("{{a}}").
execute(context("a", "<b>")));
// ensure that some potential XSS enablers are escaped
check("&#x60;&#x3D;", Mustache.compiler().compile("{{a}}").execute(context("a", "`=")));
}
@Test public void testUserDefinedEscaping() {