Make _.escape escape backticks as well

In Internet Explorer ≤ 8, the backtick character can be used to break out of unquoted attribute values or HTML comments. See http://html5sec.org/#102, http://html5sec.org/#108, and http://html5sec.org/#133.
2026-02-05 09:27:49 +00:00 · 2014-05-23 10:38:05 +02:00
parent f4b34c8ca5
commit c875b61003
2 changed files with 13 additions and 6 deletions
--- a/test/test.js
+++ b/test/test.js
@@ -2372,8 +2372,8 @@
  QUnit.module('lodash.escape');

  (function() {
-    var escaped = '&amp;&lt;&gt;&quot;&#39;\/',
-        unescaped = '&<>"\'\/';
+    var escaped = '&amp;&lt;&gt;&quot;&#39;&#96;\/',
+        unescaped = '&<>"\'`\/';

    test('should escape values', 1, function() {
      strictEqual(_.escape(unescaped), escaped);