From c875b61003bba6dee197511fab685aa9e8f094a3 Mon Sep 17 00:00:00 2001
From: Mathias Bynens <mathias@qiwi.be>
Date: Fri, 23 May 2014 10:38:05 +0200
Subject: [PATCH] Make `_.escape` escape backticks as well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In Internet Explorer ≤ 8, the backtick character can be used to break out of unquoted attribute values or HTML comments. See http://html5sec.org/#102, http://html5sec.org/#108, and http://html5sec.org/#133.
---
 lodash.js    | 15 +++++++++++----
 test/test.js |  4 ++--
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/lodash.js b/lodash.js
index c775fefc5..ef5c6d983 100644
--- a/lodash.js
+++ b/lodash.js
@@ -40,8 +40,8 @@
       reEmptyStringTrailing = /(__e\(.*?\)|\b__t\)) \+\n'';/g;
 
   /** Used to match HTML entities and HTML characters */
-  var reEscapedHtml = /&(?:amp|lt|gt|quot|#39);/g,
-      reUnescapedHtml = /[&<>"']/g;
+  var reEscapedHtml = /&(?:amp|lt|gt|quot|#39|#96);/g,
+      reUnescapedHtml = /[&<>"'`]/g;
 
   /** Used to match template delimiters */
   var reEscape = /<%-([\s\S]+?)%>/g,
@@ -157,13 +157,19 @@
    * unless they're part of a tag or unquoted attribute value.
    * See [Mathias' article](http://mathiasbynens.be/notes/ambiguous-ampersands)
    * (under "semi-related fun fact") for more details.
+   *
+   * Backticks are escaped because in Internet Explorer <= 8, they can be used
+   * to break out of unquoted attribute values or HTML comments. See
+   * <http://html5sec.org/#102>, <http://html5sec.org/#108>, and
+   * <http://html5sec.org/#133> for more details.
    */
   var htmlEscapes = {
     '&': '&amp;',
     '<': '&lt;',
     '>': '&gt;',
     '"': '&quot;',
-    "'": '&#39;'
+    "'": '&#39;',
+    '`': '&#96;'
   };
 
   /** Used to convert HTML entities to characters */
@@ -172,7 +178,8 @@
     '&lt;': '<',
     '&gt;': '>',
     '&quot;': '"',
-    '&#39;': "'"
+    '&#39;': "'",
+    '&#96;': '`'
   };
 
   /**
diff --git a/test/test.js b/test/test.js
index 8f18679a7..b329635e4 100644
--- a/test/test.js
+++ b/test/test.js
@@ -2372,8 +2372,8 @@
   QUnit.module('lodash.escape');
 
   (function() {
-    var escaped = '&amp;&lt;&gt;&quot;&#39;\/',
-        unescaped = '&<>"\'\/';
+    var escaped = '&amp;&lt;&gt;&quot;&#39;&#96;\/',
+        unescaped = '&<>"\'`\/';
 
     test('should escape values', 1, function() {
       strictEqual(_.escape(unescaped), escaped);