From 8688eaa73b84b33e6e317ced5de2ad3b2e26a340 Mon Sep 17 00:00:00 2001
From: Alec Newman <anewman@balihoo.com>
Date: Mon, 17 Feb 2014 18:11:02 -0700
Subject: [PATCH 1/6] Added a way for escaping Javascript data: {{js&name}}
 emits JS that can be used in a <script> tag.  Instead of naively calling
 JSON.stringify, it properly handles unicode data
 (http://timelessrepo.com/json-isnt-a-javascript-subset).

---
 mustache.js | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 73 insertions(+), 2 deletions(-)

diff --git a/mustache.js b/mustache.js
index a3aac8f5e..911908f9d 100644
--- a/mustache.js
+++ b/mustache.js
@@ -59,6 +59,72 @@
     });
   }
 
+  function escapeJs(o) {
+    var s = '';
+
+    if (typeof o === 'string') {
+      s += "'";
+
+      for (var i = 0; i < o.length; ++i) {
+        var n = o.charCodeAt(i),
+            c = o[i];
+        
+        if (c == "'") {
+          s += "\\'";
+        } else if (c == '\\') {
+          s += '\\\\';
+        } else if (n < 32 || n > 122) {
+          var code = n.toString(16);
+
+          while (code.length < 4) {
+            code = '0' + code;
+          }
+
+          s += "\\u" + code;
+        } else {
+          s += c;
+        }
+      }
+
+      s += "'";
+    } else if (o instanceof Array) {
+      s += '[';
+
+      for (var i = 0; i < o.length; ++i) {
+        s += escapeJs(o[i]);
+
+        if (i < o.length - 1) {
+          s += ',';
+        }
+      }
+
+      s += ']';
+    } else if (typeof o === 'boolean') {
+      s = o ? 'true' : 'false';
+    } else if (typeof o === 'number') {
+      s = '' + o;
+    } else {
+      s += '{';
+
+      var keys = Object.keys(o);
+
+      for (var i = 0; i < keys.length; ++i) {
+        var k = keys[i],
+            v = o[k];
+
+        s += escapeJs(k) + ':' + escapeJs(v);
+
+        if (i < o.length - 1) {
+          s += ',';
+        }
+      }
+
+      s += '}';
+    }
+
+    return s;
+  }
+
   function escapeTags(tags) {
     if (!isArray(tags) || tags.length !== 2) {
       throw new Error('Invalid tags: ' + tags);
@@ -74,7 +140,7 @@
   var spaceRe = /\s+/;
   var equalsRe = /\s*=/;
   var curlyRe = /\s*\}/;
-  var tagRe = /#|\^|\/|>|\{|&|=|!/;
+  var tagRe = /#|\^|\/|>|\{|js&|&|=|!/;
 
   /**
    * Breaks up the given `template` string into a tree of tokens. If the `tags`
@@ -198,7 +264,7 @@
         if (openSection[1] !== value) {
           throw new Error('Unclosed section "' + openSection[1] + '" at ' + start);
         }
-      } else if (type === 'name' || type === '{' || type === '&') {
+      } else if (type === 'name' || type === '{' || type === '&' || type === 'js&') {
         nonSpace = true;
       } else if (type === '=') {
         // Set the tags for the next time around.
@@ -503,6 +569,10 @@
         value = context.lookup(token[1]);
         if (value != null) buffer += value;
         break;
+      case 'js&':
+        value = context.lookup(token[1]);
+        if (value != null) buffer += mustache.escapeJs(value);
+        break;
       case 'name':
         value = context.lookup(token[1]);
         if (value != null) buffer += mustache.escape(value);
@@ -561,6 +631,7 @@
   // Export the escaping function so that the user may override it.
   // See https://github.com/janl/mustache.js/issues/244
   mustache.escape = escapeHtml;
+  mustache.escapeJs = escapeJs;
 
   // Export these mainly for testing, but also for advanced usage.
   mustache.Scanner = Scanner;

From 6e940173badb2ea45e48daf05037936f25ee301c Mon Sep 17 00:00:00 2001
From: Alec Newman <anewman@balihoo.com>
Date: Mon, 17 Feb 2014 18:13:15 -0700
Subject: [PATCH 2/6] Added tests.

---
 test/_files/js_escape.js       | 4 ++++
 test/_files/js_escape.mustache | 5 +++++
 test/_files/js_escape.txt      | 5 +++++
 3 files changed, 14 insertions(+)
 create mode 100644 test/_files/js_escape.js
 create mode 100644 test/_files/js_escape.mustache
 create mode 100644 test/_files/js_escape.txt

diff --git a/test/_files/js_escape.js b/test/_files/js_escape.js
new file mode 100644
index 000000000..83edb9292
--- /dev/null
+++ b/test/_files/js_escape.js
@@ -0,0 +1,4 @@
+({ string: "This is my\u2028string\"'."
+, array: ["abc\u2028", 1.1, [2, 3, true], "z"]
+, object: {"key\u2028": false}
+})
diff --git a/test/_files/js_escape.mustache b/test/_files/js_escape.mustache
new file mode 100644
index 000000000..be92b387d
--- /dev/null
+++ b/test/_files/js_escape.mustache
@@ -0,0 +1,5 @@
+<script>
+  var s = {{js&string}},
+      a = {{js&array}},
+      o = {{js&object}};
+</script>
diff --git a/test/_files/js_escape.txt b/test/_files/js_escape.txt
new file mode 100644
index 000000000..a431756c8
--- /dev/null
+++ b/test/_files/js_escape.txt
@@ -0,0 +1,5 @@
+<script>
+  var s = 'This is my\u2028string"\'.',
+      a = ['abc\u2028',1.1,[2,3,true],'z'],
+      o = {'key\u2028':false};
+</script>

From c53f3eb9f6b107a427f08b206b015c3abf7a2b4f Mon Sep 17 00:00:00 2001
From: Alec Newman <anewman@balihoo.com>
Date: Fri, 21 Feb 2014 15:22:00 -0700
Subject: [PATCH 3/6] Changed the JS emitting prefix to $.

---
 mustache.js                    | 6 +++---
 test/_files/js_escape.mustache | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mustache.js b/mustache.js
index 911908f9d..619f25e87 100644
--- a/mustache.js
+++ b/mustache.js
@@ -140,7 +140,7 @@
   var spaceRe = /\s+/;
   var equalsRe = /\s*=/;
   var curlyRe = /\s*\}/;
-  var tagRe = /#|\^|\/|>|\{|js&|&|=|!/;
+  var tagRe = /#|\^|\/|>|\{|\$|&|=|!/;
 
   /**
    * Breaks up the given `template` string into a tree of tokens. If the `tags`
@@ -264,7 +264,7 @@
         if (openSection[1] !== value) {
           throw new Error('Unclosed section "' + openSection[1] + '" at ' + start);
         }
-      } else if (type === 'name' || type === '{' || type === '&' || type === 'js&') {
+      } else if (type === 'name' || type === '{' || type === '&' || type === '$') {
         nonSpace = true;
       } else if (type === '=') {
         // Set the tags for the next time around.
@@ -569,7 +569,7 @@
         value = context.lookup(token[1]);
         if (value != null) buffer += value;
         break;
-      case 'js&':
+      case '$':
         value = context.lookup(token[1]);
         if (value != null) buffer += mustache.escapeJs(value);
         break;
diff --git a/test/_files/js_escape.mustache b/test/_files/js_escape.mustache
index be92b387d..5079a96f7 100644
--- a/test/_files/js_escape.mustache
+++ b/test/_files/js_escape.mustache
@@ -1,5 +1,5 @@
 <script>
-  var s = {{js&string}},
-      a = {{js&array}},
-      o = {{js&object}};
+  var s = {{$string}},
+      a = {{$array}},
+      o = {{$object}};
 </script>

From c5bda8568a873dd2becd6c1b3c823867a2f5d3c6 Mon Sep 17 00:00:00 2001
From: Alec Newman <anewman@balihoo.com>
Date: Fri, 21 Feb 2014 15:43:52 -0700
Subject: [PATCH 4/6] Fixed JS escaping of objects.

---
 mustache.js               | 2 +-
 test/_files/js_escape.js  | 2 +-
 test/_files/js_escape.txt | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mustache.js b/mustache.js
index 619f25e87..03ee68e04 100644
--- a/mustache.js
+++ b/mustache.js
@@ -114,7 +114,7 @@
 
         s += escapeJs(k) + ':' + escapeJs(v);
 
-        if (i < o.length - 1) {
+        if (i < keys.length - 1) {
           s += ',';
         }
       }
diff --git a/test/_files/js_escape.js b/test/_files/js_escape.js
index 83edb9292..7058836a2 100644
--- a/test/_files/js_escape.js
+++ b/test/_files/js_escape.js
@@ -1,4 +1,4 @@
 ({ string: "This is my\u2028string\"'."
 , array: ["abc\u2028", 1.1, [2, 3, true], "z"]
-, object: {"key\u2028": false}
+, object: {"key\u2028": false, "otherkey": true, "finalkey": 3}
 })
diff --git a/test/_files/js_escape.txt b/test/_files/js_escape.txt
index a431756c8..132b182cc 100644
--- a/test/_files/js_escape.txt
+++ b/test/_files/js_escape.txt
@@ -1,5 +1,5 @@
 <script>
   var s = 'This is my\u2028string"\'.',
       a = ['abc\u2028',1.1,[2,3,true],'z'],
-      o = {'key\u2028':false};
+      o = {'key\u2028':false,'otherkey':true,'finalkey':3};
 </script>

From e6d4e5114bce3cd63b9e3ea991a9043d4a75a89b Mon Sep 17 00:00:00 2001
From: Alec Newman <anewman@balihoo.com>
Date: Thu, 17 Jul 2014 11:06:44 -0600
Subject: [PATCH 5/6] Falsy values are now actually emitted for JS escaped
 tags.

---
 mustache.js                    | 6 +++++-
 test/_files/js_escape.js       | 1 +
 test/_files/js_escape.mustache | 4 +++-
 test/_files/js_escape.txt      | 4 +++-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/mustache.js b/mustache.js
index 03ee68e04..d776ca703 100644
--- a/mustache.js
+++ b/mustache.js
@@ -103,6 +103,10 @@
       s = o ? 'true' : 'false';
     } else if (typeof o === 'number') {
       s = '' + o;
+    } else if (typeof o === 'undefined') {
+      s = 'undefined';
+    } else if (o === null) {
+      s = 'null';
     } else {
       s += '{';
 
@@ -571,7 +575,7 @@
         break;
       case '$':
         value = context.lookup(token[1]);
-        if (value != null) buffer += mustache.escapeJs(value);
+        buffer += mustache.escapeJs(value);
         break;
       case 'name':
         value = context.lookup(token[1]);
diff --git a/test/_files/js_escape.js b/test/_files/js_escape.js
index 7058836a2..c7739b518 100644
--- a/test/_files/js_escape.js
+++ b/test/_files/js_escape.js
@@ -1,4 +1,5 @@
 ({ string: "This is my\u2028string\"'."
 , array: ["abc\u2028", 1.1, [2, 3, true], "z"]
 , object: {"key\u2028": false, "otherkey": true, "finalkey": 3}
+, nil: null
 })
diff --git a/test/_files/js_escape.mustache b/test/_files/js_escape.mustache
index 5079a96f7..ff42cd51a 100644
--- a/test/_files/js_escape.mustache
+++ b/test/_files/js_escape.mustache
@@ -1,5 +1,7 @@
 <script>
   var s = {{$string}},
       a = {{$array}},
-      o = {{$object}};
+      o = {{$object}},
+      n = {{$nil}},
+      u = {{$nonexistent}};
 </script>
diff --git a/test/_files/js_escape.txt b/test/_files/js_escape.txt
index 132b182cc..4cb16a4fe 100644
--- a/test/_files/js_escape.txt
+++ b/test/_files/js_escape.txt
@@ -1,5 +1,7 @@
 <script>
   var s = 'This is my\u2028string"\'.',
       a = ['abc\u2028',1.1,[2,3,true],'z'],
-      o = {'key\u2028':false,'otherkey':true,'finalkey':3};
+      o = {'key\u2028':false,'otherkey':true,'finalkey':3},
+      n = null,
+      u = undefined;
 </script>

From 54415e0f0843971735c94531eda2f2bbab4d7cd2 Mon Sep 17 00:00:00 2001
From: anewman <anewman@balihoo.com>
Date: Tue, 30 Sep 2014 14:45:38 -0600
Subject: [PATCH 6/6] Added fix to avoid issue with a closing HTML tag, like
 </script>, in an emitted js string.

---
 mustache.js                    | 4 ++++
 test/_files/js_escape.js       | 1 +
 test/_files/js_escape.mustache | 1 +
 test/_files/js_escape.txt      | 1 +
 4 files changed, 7 insertions(+)

diff --git a/mustache.js b/mustache.js
index d776ca703..605a447ed 100644
--- a/mustache.js
+++ b/mustache.js
@@ -73,6 +73,10 @@
           s += "\\'";
         } else if (c == '\\') {
           s += '\\\\';
+        } else if (c == '<') {
+          s += '\\x3c';
+        } else if (c == '/') {
+          s += '\\x2f';
         } else if (n < 32 || n > 122) {
           var code = n.toString(16);
 
diff --git a/test/_files/js_escape.js b/test/_files/js_escape.js
index c7739b518..02088c7ae 100644
--- a/test/_files/js_escape.js
+++ b/test/_files/js_escape.js
@@ -1,4 +1,5 @@
 ({ string: "This is my\u2028string\"'."
+, breaker: "This is my string with a </script> tag."
 , array: ["abc\u2028", 1.1, [2, 3, true], "z"]
 , object: {"key\u2028": false, "otherkey": true, "finalkey": 3}
 , nil: null
diff --git a/test/_files/js_escape.mustache b/test/_files/js_escape.mustache
index ff42cd51a..361ccf68a 100644
--- a/test/_files/js_escape.mustache
+++ b/test/_files/js_escape.mustache
@@ -1,5 +1,6 @@
 <script>
   var s = {{$string}},
+      b = {{$breaker}},
       a = {{$array}},
       o = {{$object}},
       n = {{$nil}},
diff --git a/test/_files/js_escape.txt b/test/_files/js_escape.txt
index 4cb16a4fe..78e136d36 100644
--- a/test/_files/js_escape.txt
+++ b/test/_files/js_escape.txt
@@ -1,5 +1,6 @@
 <script>
   var s = 'This is my\u2028string"\'.',
+      b = 'This is my string with a \x3c\x2fscript> tag.',
       a = ['abc\u2028',1.1,[2,3,true],'z'],
       o = {'key\u2028':false,'otherkey':true,'finalkey':3},
       n = null,