html, exp/html: escape ' and " as ' and ", since IE8 and

below do not support '.

This makes package html consistent with package text/template's
HTMLEscape function.

Fixes #3489.

R=rsc, mikesamuel, dsymonds
CC=golang-dev
https://golang.org/cl/5992071

1 files changed, 5 insertions, 3 deletions

diff --git a/src/pkg/html/escape.go b/src/pkg/html/escape.go
index fee771a578..24cb7af852 100644
--- a/src/pkg/html/escape.go
+++ b/src/pkg/html/escape.go
@@ -210,13 +210,15 @@ func escape(w writer, s string) error {
 		case '&':
 			esc = "&"
 		case '\'':
-			esc = "'"
+			// "'" is shorter than "'" and apos was not in HTML until HTML5.
+			esc = "'"
 		case '<':
 			esc = "&lt;"
 		case '>':
 			esc = "&gt;"
 		case '"':
-			esc = "&quot;"
+			// "&#34;" is shorter than "&quot;".
+			esc = "&#34;"
 		default:
 			panic("unrecognized escape character")
 		}
@@ -231,7 +233,7 @@ func escape(w writer, s string) error {
 }
 
 // EscapeString escapes special characters like "<" to become "&lt;". It
-// escapes only five such characters: amp, apos, lt, gt and quot.
+// escapes only five such characters: <, >, &, ' and ".
 // UnescapeString(EscapeString(s)) == s always holds, but the converse isn't
 // always true.
 func EscapeString(s string) string {