html, exp/html: escape ' and " as ' and ", since IE8 and

below do not support '.

This makes package html consistent with package text/template's
HTMLEscape function.

Fixes #3489.

R=rsc, mikesamuel, dsymonds
CC=golang-dev
https://golang.org/cl/5992071

Author: nigeltao

src/pkg/exp/html/escape.go

@@ -205,13 +205,15 @@ func escape(w writer, s string) error {
 		case '&':
 			esc = "&"
 		case '\'':
-			esc = "'"
+			// "'" is shorter than "'" and apos was not in HTML until HTML5.
+			esc = "'"
 		case '<':
 			esc = "&lt;"
 		case '>':
 			esc = "&gt;"
 		case '"':
-			esc = "&quot;"
+			// "&#34;" is shorter than "&quot;".
+			esc = "&#34;"
 		default:
 			panic("unrecognized escape character")
 		}
@@ -226,7 +228,7 @@ func escape(w writer, s string) error {
 }
 
 // EscapeString escapes special characters like "<" to become "&lt;". It
-// escapes only five such characters: amp, apos, lt, gt and quot.
+// escapes only five such characters: <, >, &, ' and ".
 // UnescapeString(EscapeString(s)) == s always holds, but the converse isn't
 // always true.
 func EscapeString(s string) string {

src/pkg/exp/html/render_test.go

@@ -98,7 +98,7 @@ func TestRenderer(t *testing.T) {
 			},
 		},
 	}
-	want := `<html><head></head><body>0&lt;1<p id="A" foo="abc&quot;def">` +
+	want := `<html><head></head><body>0&lt;1<p id="A" foo="abc&#34;def">` +
 		`2<b empty="">3</b><i backslash="\">&amp;4</i></p>` +
 		`5<blockquote></blockquote><br/>6</body></html>`
 	b := new(bytes.Buffer)

src/pkg/exp/html/token_test.go

@@ -359,7 +359,7 @@ var tokenTests = []tokenTest{
 	{
 		"tricky",
 		"<p \t\n iD=\"a&quot;B\"  foo=\"bar\"><EM>te&lt;&amp;;xt</em></p>",
-		`<p id="a&quot;B" foo="bar">$<em>$te&lt;&amp;;xt$</em>$</p>`,
+		`<p id="a&#34;B" foo="bar">$<em>$te&lt;&amp;;xt$</em>$</p>`,
 	},
 	// A nonexistent entity. Tokenizing and converting back to a string should
 	// escape the "&" to become "&amp;".
@@ -421,7 +421,7 @@ var tokenTests = []tokenTest{
 	{
 		"Double-quoted attribute value",
 		`<input value="I'm an attribute" FOO="BAR">`,
-		`<input value="I&apos;m an attribute" foo="BAR">`,
+		`<input value="I&#39;m an attribute" foo="BAR">`,
 	},
 	{
 		"Attribute name characters",
@@ -436,7 +436,7 @@ var tokenTests = []tokenTest{
 	{
 		"Attributes with a solitary single quote",
 		`<p id=can't><p id=won't>`,
-		`<p id="can&apos;t">$<p id="won&apos;t">`,
+		`<p id="can&#39;t">$<p id="won&#39;t">`,
 	},
 }
 
@@ -545,10 +545,11 @@ func TestUnescapeEscape(t *testing.T) {
 		`"<&>"`,
 		`&quot;&lt;&amp;&gt;&quot;`,
 		`3&5==1 && 0<1, "0&lt;1", a+acute=&aacute;`,
+		`The special characters are: <, >, &, ' and "`,
 	}
 	for _, s := range ss {
-		if s != UnescapeString(EscapeString(s)) {
-			t.Errorf("s != UnescapeString(EscapeString(s)), s=%q", s)
+		if got := UnescapeString(EscapeString(s)); got != s {
+			t.Errorf("got %q want %q", got, s)
 		}
 	}
 }

src/pkg/html/escape.go

@@ -210,13 +210,15 @@ func escape(w writer, s string) error {
 		case '&':
 			esc = "&"
 		case '\'':
-			esc = "'"
+			// "'" is shorter than "'" and apos was not in HTML until HTML5.
+			esc = "'"
 		case '<':
 			esc = "&lt;"
 		case '>':
 			esc = "&gt;"
 		case '"':
-			esc = "&quot;"
+			// "&#34;" is shorter than "&quot;".
+			esc = "&#34;"
 		default:
 			panic("unrecognized escape character")
 		}
@@ -231,7 +233,7 @@ func escape(w writer, s string) error {
 }
 
 // EscapeString escapes special characters like "<" to become "&lt;". It
-// escapes only five such characters: amp, apos, lt, gt and quot.
+// escapes only five such characters: <, >, &, ' and ".
 // UnescapeString(EscapeString(s)) == s always holds, but the converse isn't
 // always true.
 func EscapeString(s string) string {

src/pkg/net/http/server.go

@@ -785,8 +785,10 @@ var htmlReplacer = strings.NewReplacer(
 	"&", "&",
 	"<", "&lt;",
 	">", "&gt;",
-	`"`, "&quot;",
-	"'", "&apos;",
+	// "&#34;" is shorter than "&quot;".
+	`"`, "&#34;",
+	// "&#39;" is shorter than "&apos;" and apos was not in HTML until HTML5.
+	"'", "&#39;",
 )
 
 func htmlEscape(s string) string {

src/pkg/text/template/funcs.go

@@ -246,7 +246,7 @@ func not(arg interface{}) (truth bool) {
 
 var (
 	htmlQuot = []byte(""") // shorter than """
-	htmlApos = []byte("'") // shorter than "'"
+	htmlApos = []byte("'") // shorter than "'" and apos was not in HTML until HTML5
 	htmlAmp  = []byte("&")
 	htmlLt   = []byte("<")
 	htmlGt   = []byte(">")