1

I was looking at this answer (copied below)

What I didn't understand is why is / escaped?

There is also the solution from mustache.js

https://github.com/janl/mustache.js/blob/master/mustache.js#L82

 var entityMap = {
    "&": "&",
    "<": "&lt;",
    ">": "&gt;",
    '"': '&quot;',
    "'": '&#39;',
    "/": '&#x2F;'
  };

  function escapeHtml(string) {
    return String(string).replace(/[&<>"'\/]/g, function (s) {
      return entityMap[s];
    });
  }
Community
  • 1
  • 1
BruteCode
  • 1,143
  • 7
  • 16
  • 22
  • because your delimeter is `/` – Nick Fury Mar 12 '13 at 12:30
  • @NickFury The HTML isn't being put *in* the regex, so I don't see why that would be the case. – Waleed Khan Mar 12 '13 at 12:31
  • 1
    https://github.com/janl/mustache.js/pull/199 (OWASP, in turn, has some nonsense about how it "helps to end an HTML entity".) As always, the answer to your "why" question is "because it seemed like a good idea to someone when they wrote the code". – Wooble Mar 12 '13 at 12:43
  • @Wooble - Have you got a link to the OWASP recommendation? – Alohci Mar 12 '13 at 13:16
  • @Alohci: it certainly took you longer to type that comment and wait for a response than it would have taken to Google it. – Wooble Mar 12 '13 at 13:24

1 Answers1

-1

There is no need at all to escape the / in HTML.

Allie
  • 1,081
  • 1
  • 13
  • 17