From 83b8e846a3569bd366cf0b6bdc1e4604d1a2077e Mon Sep 17 00:00:00 2001
From: kpdecker <kpdecker@gmail.com>
Date: Tue, 1 Sep 2015 01:44:35 -0500
Subject: [PATCH] Escape = in HTML content

There was a potential XSS exploit when using unquoted attributes that this should help reduce.

Fixes #1083
---
 lib/handlebars/utils.js | 7 ++++---
 spec/utils.js           | 1 +
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/handlebars/utils.js b/lib/handlebars/utils.js
index 81050f999..d34646b7d 100644
--- a/lib/handlebars/utils.js
+++ b/lib/handlebars/utils.js
@@ -4,11 +4,12 @@ const escape = {
   '>': '&gt;',
   '"': '&quot;',
   "'": '&#x27;',
-  '`': '&#x60;'
+  '`': '&#x60;',
+  '=': '&#x3D;'
 };
 
-const badChars = /[&<>"'`]/g,
-      possible = /[&<>"'`]/;
+const badChars = /[&<>"'`=]/g,
+      possible = /[&<>"'`=]/;
 
 function escapeChar(chr) {
   return escape[chr];
diff --git a/spec/utils.js b/spec/utils.js
index 81732c5e7..7248ac447 100644
--- a/spec/utils.js
+++ b/spec/utils.js
@@ -18,6 +18,7 @@ describe('utils', function() {
   describe('#escapeExpression', function() {
     it('shouhld escape html', function() {
       equals(Handlebars.Utils.escapeExpression('foo<&"\'>'), 'foo&lt;&amp;&quot;&#x27;&gt;');
+      equals(Handlebars.Utils.escapeExpression('foo='), 'foo&#x3D;');
     });
     it('should not escape SafeString', function() {
       var string = new Handlebars.SafeString('foo<&"\'>');