diff --git a/lodash.js b/lodash.js
index 6b2525630..fb15e70ff 100644
--- a/lodash.js
+++ b/lodash.js
@@ -370,8 +370,7 @@
'<': '<',
'>': '>',
'"': '"',
- "'": ''',
- '`': '`'
+ "'": '''
};
/** Used to map HTML entities to characters. */
@@ -380,8 +379,7 @@
'<': '<',
'>': '>',
'"': '"',
- ''': "'",
- '`': '`'
+ ''': "'"
};
/** Used to escape characters for inclusion in compiled string literals. */
@@ -13842,8 +13840,8 @@
}
/**
- * Converts the characters "&", "<", ">", '"', "'", and "\`" in `string` to
- * their corresponding HTML entities.
+ * Converts the characters "&", "<", ">", '"', and "'" in `string` to their
+ * corresponding HTML entities.
*
* **Note:** No other characters are escaped. To escape additional
* characters use a third-party library like [_he_](https://mths.be/he).
@@ -13854,12 +13852,6 @@
* [Mathias Bynens's article](https://mathiasbynens.be/notes/ambiguous-ampersands)
* (under "semi-related fun fact") for more details.
*
- * Backticks are escaped because in IE < 9, they can break out of
- * attribute values or HTML comments. See [#59](https://html5sec.org/#59),
- * [#102](https://html5sec.org/#102), [#108](https://html5sec.org/#108), and
- * [#133](https://html5sec.org/#133) of the
- * [HTML5 Security Cheatsheet](https://html5sec.org/) for more details.
- *
* When working with HTML you should always
* [quote attribute values](http://wonko.com/post/html-escaping) to reduce
* XSS vectors.
@@ -14750,7 +14742,7 @@
/**
* The inverse of `_.escape`; this method converts the HTML entities
- * `&`, `<`, `>`, `"`, `'`, and ``` in `string` to
+ * `&`, `<`, `>`, `"`, and `'` in `string` to
* their corresponding characters.
*
* **Note:** No other HTML entities are unescaped. To unescape additional
diff --git a/test/test.js b/test/test.js
index decd47a02..9858db92a 100644
--- a/test/test.js
+++ b/test/test.js
@@ -5450,8 +5450,8 @@
QUnit.module('lodash.escape');
(function() {
- var escaped = '&<>"'`\/',
- unescaped = '&<>"\'`\/';
+ var escaped = '&<>"'/',
+ unescaped = '&<>"\'/';
escaped += escaped;
unescaped += unescaped;
@@ -21728,8 +21728,8 @@
assert.expect(1);
var strings = ['<%- value %>
', '<%-value%>
', '<%-\nvalue\n%>
'],
- expected = lodashStable.map(strings, lodashStable.constant('&<>"'`\/
')),
- data = { 'value': '&<>"\'`\/' };
+ expected = lodashStable.map(strings, lodashStable.constant('&<>"'/
')),
+ data = { 'value': '&<>"\'/' };
var actual = lodashStable.map(strings, function(string) {
return _.template(string)(data);
@@ -22268,13 +22268,13 @@
var array = ['<%= a %>', '<%- b %>', '<% print(c) %>'],
compiles = lodashStable.map(array, _.template),
- data = { 'a': 'one', 'b': '`two`', 'c': 'three' };
+ data = { 'a': 'one', 'b': '"two"', 'c': 'three' };
var actual = lodashStable.map(compiles, function(compiled) {
return compiled(data);
});
- assert.deepEqual(actual, ['one', '`two`', 'three']);
+ assert.deepEqual(actual, ['one', '"two"', 'three']);
});
}());
@@ -24205,8 +24205,8 @@
QUnit.module('lodash.unescape');
(function() {
- var escaped = '&<>"'\/',
- unescaped = '&<>"\'\/';
+ var escaped = '&<>"'/',
+ unescaped = '&<>"\'/';
escaped += escaped;
unescaped += unescaped;