From da1124dd378c6aa564ab83845983ad16c9dd4740 Mon Sep 17 00:00:00 2001
From: John-David Dalton <john.david.dalton@gmail.com>
Date: Mon, 4 Jun 2012 02:12:41 -0400
Subject: [PATCH] Switch to an `htmlEscapes` object for use in `_.escape`.

Former-commit-id: bc449b5d6868c846d599840e5c0d90d0314fe4b8
---
 build/pre-compile.js |  3 ++
 lodash.js            | 90 +++++++++++++++++++++++++++-----------------
 2 files changed, 59 insertions(+), 34 deletions(-)

diff --git a/build/pre-compile.js b/build/pre-compile.js
index 912a8818c..92dbe21f6 100644
--- a/build/pre-compile.js
+++ b/build/pre-compile.js
@@ -211,6 +211,9 @@
       });
     });
 
+    // remove newline from double-quoted string in `_.template`
+    source = source.replace('"\';\\n"', '"\';"');
+
     // minify `_.sortBy` internal properties
     (function() {
       var properties = ['criteria', 'value'],
diff --git a/lodash.js b/lodash.js
index 039877312..4f7aad57e 100644
--- a/lodash.js
+++ b/lodash.js
@@ -12,17 +12,6 @@
   var freeExports = typeof exports == 'object' && exports &&
     (typeof global == 'object' && global && global == global.global && (window = global), exports);
 
-  /** Used to escape characters in templates */
-  var escapes = {
-    '\\': '\\',
-    "'": "'",
-    '\n': 'n',
-    '\r': 'r',
-    '\t': 't',
-    '\u2028': 'u2028',
-    '\u2029': 'u2029'
-  };
-
   /**
    * Detect the JScript [[DontEnum]] bug:
    * In IE < 9 an objects own properties, shadowing non-enumerable ones, are
@@ -33,16 +22,6 @@
   /** Used to generate unique IDs */
   var idCounter = 0;
 
-  /** Used to determine if values are of the language type Object */
-  var objectTypes = {
-    'boolean': false,
-    'function': true,
-    'object': true,
-    'number': false,
-    'string': false,
-    'undefined': false
-  };
-
   /** Used to restore the original `_` reference in `noConflict` */
   var oldDash = window._;
 
@@ -54,8 +33,11 @@
   /** Used to match tokens in template text */
   var reToken = /__token__(\d+)/g;
 
-  /** Used to match unescaped characters in template text */
-  var reUnescaped = /['\n\r\t\u2028\u2029\\]/g;
+  /** Used to match unescaped characters in HTML */
+  var reUnescapedHtml = /[&<"']/g;
+
+  /** Used to match unescaped characters in string literals */
+  var reUnescapedString = /['\n\r\t\u2028\u2029\\]/g;
 
   /** Used to fix the JScript [[DontEnum]] bug */
   var shadowed = [
@@ -69,6 +51,40 @@
   /** Used to store tokenized template text snippets */
   var tokenized = [];
 
+  /**
+   * Used to escape characters for inclusion in HTML.
+   * The `>` and `/` characters don't require escaping in HTML and have no
+   * special meaning unless they're part of a tag or an unquoted attribute value
+   * http://mathiasbynens.be/notes/ambiguous-ampersands (semi-related fun fact)
+   */
+  var htmlEscapes = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '"': '&quot;',
+    "'": '&#x27;'
+  };
+
+  /** Used to determine if values are of the language type Object */
+  var objectTypes = {
+    'boolean': false,
+    'function': true,
+    'object': true,
+    'number': false,
+    'string': false,
+    'undefined': false
+  };
+
+  /** Used to escape characters for inclusion in string literals */
+  var stringEscapes = {
+    '\\': '\\',
+    "'": "'",
+    '\n': 'n',
+    '\r': 'r',
+    '\t': 't',
+    '\u2028': 'u2028',
+    '\u2029': 'u2029'
+  };
+
   /** Object#toString result shortcuts */
   var arrayClass = '[object Array]',
       boolClass = '[object Boolean]',
@@ -449,8 +465,19 @@
    * @param {String} match The matched character to escape.
    * @returns {String} Returns the escaped character.
    */
-  function escapeChar(match) {
-    return '\\' + escapes[match];
+  function escapeStringChar(match) {
+    return '\\' + stringEscapes[match];
+  }
+
+  /**
+   * Used by `escape()` to escape characters for inclusion in HTML.
+   *
+   * @private
+   * @param {String} match The matched character to escape.
+   * @returns {String} Returns the escaped character.
+   */
+  function escapeHtmlChar(match) {
+    return htmlEscapes[match];
   }
 
   /**
@@ -2823,14 +2850,7 @@
    * // => "Curly, Larry &amp; Moe"
    */
   function escape(string) {
-    // the `>` character doesn't require escaping in HTML and has no special
-    // meaning unless it's part of a tag or an unquoted attribute value
-    // http://mathiasbynens.be/notes/ambiguous-ampersands (semi-related fun fact)
-    return (string + '')
-      .replace(/&/g, '&amp;')
-      .replace(/</g, '&lt;')
-      .replace(/"/g, '&quot;')
-      .replace(/'/g, '&#x27;');
+    return (string + '').replace(reUnescapedHtml, escapeHtmlChar);
   }
 
   /**
@@ -3029,7 +3049,9 @@
 
     // escape characters that cannot be included in string literals and
     // detokenize delimiter code snippets
-    text = "__p='" + text.replace(reUnescaped, escapeChar).replace(reToken, detokenize) + "';\n";
+    text = "__p='" + text
+      .replace(reUnescapedString, escapeStringChar)
+      .replace(reToken, detokenize) + "';\n";
 
     // clear stored code snippets
     tokenized.length = 0;