Escape = in HTML content

There was a potential XSS exploit when using unquoted attributes that this should help reduce. Fixes #1083
author: kpdecker <kpdecker@gmail.com> 2015-09-01 01:44:35 -0500
committer: kpdecker <kpdecker@gmail.com> 2015-09-01 01:44:35 -0500
commit: 83b8e846a3569bd366cf0b6bdc1e4604d1a2077e (patch)
tree: 00d7d41a96485736369528be71b88ababc8419c5 /spec/utils.js
parent: b0d217e13df11cb8cc3e23b242d6e8e20b9c1f30 (diff)
download: handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.zip
handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.gz
handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.bz2
1 files changed, 1 insertions, 0 deletions
diff --git a/spec/utils.js b/spec/utils.js
index 81732c5..7248ac4 100644
--- a/spec/utils.js
+++ b/spec/utils.js
@@ -18,6 +18,7 @@ describe('utils', function() {
   describe('#escapeExpression', function() {
     it('shouhld escape html', function() {
       equals(Handlebars.Utils.escapeExpression('foo<&"\'>'), 'foo&lt;&amp;&quot;&#x27;&gt;');
+      equals(Handlebars.Utils.escapeExpression('foo='), 'foo&#x3D;');
     });
     it('should not escape SafeString', function() {
       var string = new Handlebars.SafeString('foo<&"\'>');
author	kpdecker <kpdecker@gmail.com>	2015-09-01 01:44:35 -0500
committer	kpdecker <kpdecker@gmail.com>	2015-09-01 01:44:35 -0500
commit	83b8e846a3569bd366cf0b6bdc1e4604d1a2077e (patch)
tree	00d7d41a96485736369528be71b88ababc8419c5 /spec/utils.js
parent	b0d217e13df11cb8cc3e23b242d6e8e20b9c1f30 (diff)
download	handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.zip handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.gz handlebars.js-83b8e846a3569bd366cf0b6bdc1e4604d1a2077e.tar.bz2