why does _.escape modify / characters in Underscore.js?

11.1k Views Asked by zzzzBov At 20 October 2025 at 21:08

I was looking through the Underscore.js api and I noticed that _.escape escapes &, <, >, ", ', and / characters. What surprised me was escaping /.

Is there a reason to escape / characters that I don't know about?

Original Q&A

There are 2 best solutions below

Chetan S On 29 November 2011 at 03:14 BEST ANSWER

EDIT: Alright, apparently, it is recommended by OWASP as it "helps end a HTML entity".

Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.

& --> &amp;
< --> &lt;
> --> &gt;
" --> &quot;
' --> &#x27;     &apos; is not recommended
/ --> &#x2F;     forward slash is included as it helps end an HTML entity

Pamela Pereyra On 20 August 2020 at 21:20

A lot of time passed but I found same issue. The strange is that the list of changes on the code are according to underscore github

var escapeMap = {
  '&': '&amp;',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#x27;',
  '`': '&#x60;'
};

why does _.escape modify / characters in Underscore.js?

There are 2 best solutions below

Related Questions in UNDERSCORE.JS

Related Questions in HTML-ESCAPE

Trending Questions

Popular # Hahtags

Popular Questions