why does _.escape modify / characters in Underscore.js?

About

Asked 28/11, 2011 at 15:38 Answered 20/8, 2020 at 21:20

I was looking through the Underscore.js api and I noticed that _.escape escapes &, <, >, ", ', and / characters. What surprised me was escaping /.

Is there a reason to escape / characters that I don't know about?

Gnostic answered 28/11, 2011 at 15:38 Comment(0)

EDIT: Alright, apparently, it is recommended by OWASP as it "helps end a HTML entity".

Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.

& --> &amp;
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27;     &apos; is not recommended
/ --> &#x2F;     forward slash is included as it helps end an HTML entity

Nalor answered 29/11, 2011 at 3:14 Comment(3)

It doesn't change / to \/ it changes it to /. Besides, </script> would be changed to </script> which wouldn't be an issue. – Gnostic 29/11, 2011 at 3:47

@zzzzBov: Updated the answer with the citation. I found it out myself just now. – Nalor 29/11, 2011 at 9:48

and now that all makes sense :D – Gnostic 29/11, 2011 at 14:13

A lot of time passed but I found same issue. The strange is that the list of changes on the code are according to underscore github

var escapeMap = {
  '&': '&amp;',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#x27;',
  '`': '&#x60;'
};

Spermogonium answered 20/8, 2020 at 21:20 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags