From 34f10467b3f6c476da14bf293359f58089b2067e Mon Sep 17 00:00:00 2001
From: Nadav <nadav@shesek.info>
Date: Wed, 20 Jul 2011 03:41:27 -0700
Subject: [PATCH] * Added _.escape() for escaping special HTML chars * Added
 support for auto-escaping of values using ```<%== ... %>```

---
 underscore.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/underscore.js b/underscore.js
index 4f5601325..1cf51a7dc 100644
--- a/underscore.js
+++ b/underscore.js
@@ -733,6 +733,11 @@
     for (var i = 0; i < n; i++) iterator.call(context, i);
   };
 
+  // Escape string for HTML
+  _.escape = function(string) {
+    return (''+string).replace(/&(?!\w+;|#\d+;|#x[\da-f]+;)/gi, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#x27;').replace(/\//g,'&#x2F;');
+  };
+
   // Add your own custom functions to the Underscore object, ensuring that
   // they're correctly added to the OOP wrapper as well.
   _.mixin = function(obj) {
@@ -753,7 +758,8 @@
   // following template settings to use alternative delimiters.
   _.templateSettings = {
     evaluate    : /<%([\s\S]+?)%>/g,
-    interpolate : /<%=([\s\S]+?)%>/g
+    interpolate : /<%=([\s\S]+?)%>/g,
+    encode      : /<%==([\s\S]+?)%>/g
   };
 
   // JavaScript micro-templating, similar to John Resig's implementation.
@@ -765,6 +771,9 @@
       'with(obj||{}){__p.push(\'' +
       str.replace(/\\/g, '\\\\')
          .replace(/'/g, "\\'")
+         .replace(c.encode, function(match, code) {
+           return "',_.escape(" + code.replace(/\\'/g, "'") + "),'";
+         })
          .replace(c.interpolate, function(match, code) {
            return "'," + code.replace(/\\'/g, "'") + ",'";
          })