From 660beb9f65882e98acf8f1cbd8e83a1bbbdba254 Mon Sep 17 00:00:00 2001
From: Danny Greg & Nathan Sobo <danny+nathan@github.com>
Date: Thu, 19 Jan 2012 16:36:32 -0800
Subject: [PATCH] Text inside of tags is HTML escaped.

---
 spec/stdlib/template/builder-spec.coffee | 4 ++++
 src/stdlib/template/text.coffee          | 8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/spec/stdlib/template/builder-spec.coffee b/spec/stdlib/template/builder-spec.coffee
index 16ae0e4cd..5e182cdb0 100644
--- a/spec/stdlib/template/builder-spec.coffee
+++ b/spec/stdlib/template/builder-spec.coffee
@@ -30,6 +30,10 @@ describe "Builder", ->
       builder.tag 'div', 22
       expect(builder.toHtml()).toBe "<div>22</div>"
 
+    it "HTML escapes tag text", ->
+      builder.tag('div', "<br/>")
+      expect(builder.toHtml()).toBe "<div>&lt;br/&gt;</div>"
+
     it "can generate tags with attributes", ->
       builder.tag 'div', id: 'foo', class: 'bar'
       fragment = builder.toFragment()
diff --git a/src/stdlib/template/text.coffee b/src/stdlib/template/text.coffee
index 5f20e1d2e..de8b25e3a 100644
--- a/src/stdlib/template/text.coffee
+++ b/src/stdlib/template/text.coffee
@@ -2,5 +2,11 @@ module.exports =
 class Text
   constructor: (@string) ->
 
-  toHtml: -> @string
+  toHtml: ->
+    @string
+      .replace(/&/g, '&amp;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')