From 1c88d17a911865894b2e2f6f8219309d5ea6b941 Mon Sep 17 00:00:00 2001
From: rxi <rxi@users.noreply.github.com>
Date: Sat, 29 Apr 2017 15:53:40 +0100
Subject: [PATCH] Fixed lovebird.htmlescape() to escape `&`, `"` and `'`

---
 lovebird.lua | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lovebird.lua b/lovebird.lua
index b0b715e..d586e77 100644
--- a/lovebird.lua
+++ b/lovebird.lua
@@ -497,8 +497,15 @@ function lovebird.parseurl(url)
 end
 
 
+local htmlescapemap = {
+  ["<"] = "&lt;",
+  ["&"] = "&amp;",
+  ['"'] = "&quot;",
+  ["'"] = "&#039;",
+}
+
 function lovebird.htmlescape(str)
-  return ( str:gsub("<", "&lt;") )
+  return ( str:gsub("[<&\"']", htmlescapemap) )
 end