Remove escaping backticks.

lodash.js

@@ -370,8 +370,7 @@
     '<': '&lt;',
     '>': '&gt;',
     '"': '&quot;',
-    "'": '&#39;',
+    "'": '&#39;'
-    '`': '&#96;'
   };
 
   /** Used to map HTML entities to characters. */
@@ -380,8 +379,7 @@
     '&lt;': '<',
     '&gt;': '>',
     '&quot;': '"',
-    '&#39;': "'",
+    '&#39;': "'"
-    '&#96;': '`'
   };
 
   /** Used to escape characters for inclusion in compiled string literals. */
@@ -13842,8 +13840,8 @@
     }
 
     /**
-     * Converts the characters "&", "<", ">", '"', "'", and "\`" in `string` to
+     * Converts the characters "&", "<", ">", '"', and "'" in `string` to their
-     * their corresponding HTML entities.
+     * corresponding HTML entities.
      *
      * **Note:** No other characters are escaped. To escape additional
      * characters use a third-party library like [_he_](https://mths.be/he).
@@ -13854,12 +13852,6 @@
      * [Mathias Bynens's article](https://mathiasbynens.be/notes/ambiguous-ampersands)
      * (under "semi-related fun fact") for more details.
      *
-     * Backticks are escaped because in IE < 9, they can break out of
-     * attribute values or HTML comments. See [#59](https://html5sec.org/#59),
-     * [#102](https://html5sec.org/#102), [#108](https://html5sec.org/#108), and
-     * [#133](https://html5sec.org/#133) of the
-     * [HTML5 Security Cheatsheet](https://html5sec.org/) for more details.
-     *
      * When working with HTML you should always
      * [quote attribute values](http://wonko.com/post/html-escaping) to reduce
      * XSS vectors.
@@ -14750,7 +14742,7 @@
 
     /**
      * The inverse of `_.escape`; this method converts the HTML entities
-     * `&amp;`, `&lt;`, `&gt;`, `&quot;`, `&#39;`, and `&#96;` in `string` to
+     * `&amp;`, `&lt;`, `&gt;`, `&quot;`, and `&#39;` in `string` to
      * their corresponding characters.
      *
      * **Note:** No other HTML entities are unescaped. To unescape additional

test/test.js

@@ -5450,8 +5450,8 @@
   QUnit.module('lodash.escape');
 
   (function() {
-    var escaped = '&<>"'`\/',
+    var escaped = '&<>"'/',
-        unescaped = '&<>"\'`\/';
+        unescaped = '&<>"\'/';
 
     escaped += escaped;
     unescaped += unescaped;
@@ -21728,8 +21728,8 @@
       assert.expect(1);
 
       var strings = ['<p><%- value %></p>', '<p><%-value%></p>', '<p><%-\nvalue\n%></p>'],
-          expected = lodashStable.map(strings, lodashStable.constant('<p>&amp;&lt;&gt;&quot;&#39;&#96;\/</p>')),
+          expected = lodashStable.map(strings, lodashStable.constant('<p>&amp;&lt;&gt;&quot;&#39;/</p>')),
-          data = { 'value': '&<>"\'`\/' };
+          data = { 'value': '&<>"\'/' };
 
       var actual = lodashStable.map(strings, function(string) {
         return _.template(string)(data);
@@ -22268,13 +22268,13 @@
 
       var array = ['<%= a %>', '<%- b %>', '<% print(c) %>'],
           compiles = lodashStable.map(array, _.template),
-          data = { 'a': 'one', 'b': '`two`', 'c': 'three' };
+          data = { 'a': 'one', 'b': '"two"', 'c': 'three' };
 
       var actual = lodashStable.map(compiles, function(compiled) {
         return compiled(data);
       });
 
-      assert.deepEqual(actual, ['one', '&#96;two&#96;', 'three']);
+      assert.deepEqual(actual, ['one', '&quot;two&quot;', 'three']);
     });
   }());
 
@@ -24205,8 +24205,8 @@
   QUnit.module('lodash.unescape');
 
   (function() {
-    var escaped = '&amp;&lt;&gt;&quot;&#39;\/',
+    var escaped = '&amp;&lt;&gt;&quot;&#39;/',
-        unescaped = '&<>"\'\/';
+        unescaped = '&<>"\'/';
 
     escaped += escaped;
     unescaped += unescaped;