Reputation: 179046
why does _.escape modify / characters in Underscore.js?
I was looking through the Underscore.js api and I noticed that _.escape escapes &, <, >, ", ', and / characters. What surprised me was escaping /.
Is there a reason to escape / characters that I don't know about?
Upvotes: 12
Views: 11174
Answers (2)
Reputation: 101
A lot of time passed but I found same issue. The strange is that the list of changes on the code are according to underscore github
var escapeMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'`': '`'
};
Upvotes: 0
Reputation: 23803
EDIT: Alright, apparently, it is recommended by OWASP as it "helps end a HTML entity".
Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.
& --> &
< --> <
> --> >
" --> "
' --> ' ' is not recommended
/ --> / forward slash is included as it helps end an HTML entity
Upvotes: 17
Related Questions
- _.chain - underscore JS
- Escape <%- %> tag in underscore.js template
- Underscore map behavior
- UnderscoreJS template escapes JS operators
- Underscore does not generate HTML
- what is it used for _.once in underscore?
- Underscore _.findWhere contains backslash
- underscore.js not working with < and > in html
- how to escape <> in javascript underscore template?
- Underscore behavior with Bind