properly handle amperstands when HTML escaping

escapeExpression, when given a string like ">", was simply returning
">", not escaping the amperstand. This is incorrect, and makes it
impossible to have Handlebars properly escape a
string like "Escaped, <b> looks like: &lt;b&gt;"

If the intention of the user is to not escape these characters, then
{{{}}} or {{&}} should be used

1 files changed, 2 insertions, 1 deletions

diff --git a/lib/handlebars/utils.js b/lib/handlebars/utils.js
index bd5d0eb..b53c9ef 100644
--- a/lib/handlebars/utils.js
+++ b/lib/handlebars/utils.js
@@ -22,6 +22,7 @@ Handlebars.SafeString.prototype.toString = function() {
 
 (function() {
   var escape = {
+    "&": "&",
     "<": "&lt;",
     ">": "&gt;",
     '"': "&quot;",
@@ -29,7 +30,7 @@ Handlebars.SafeString.prototype.toString = function() {
     "`": "&#x60;"
   };
 
-  var badChars = /&(?!\w+;)|[<>"'`]/g;
+  var badChars = /[&<>"'`]/g;
   var possible = /[&<>"'`]/;
 
   var escapeChar = function(chr) {