From b334e33c172b63896a0e2c4ea0ebfefbff42a028 Mon Sep 17 00:00:00 2001
From: Frankie Dintino <fdintino@gmail.com>
Date: Wed, 12 Apr 2023 09:31:17 -0400
Subject: [PATCH] fix: html encode backslashes if used with escape filter or
 autoescape

---
 nunjucks/src/lib.js |  5 +++--
 tests/compiler.js   | 12 +++++++++++-
 tests/filters.js    |  4 ++--
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/nunjucks/src/lib.js b/nunjucks/src/lib.js
index 376db95aa..e99589f79 100644
--- a/nunjucks/src/lib.js
+++ b/nunjucks/src/lib.js
@@ -8,10 +8,11 @@ var escapeMap = {
   '"': '&quot;',
   '\'': '&#39;',
   '<': '&lt;',
-  '>': '&gt;'
+  '>': '&gt;',
+  '\\': '&#92;',
 };
 
-var escapeRegex = /[&"'<>]/g;
+var escapeRegex = /[&"'<>\\]/g;
 
 var exports = module.exports = {};
 
diff --git a/tests/compiler.js b/tests/compiler.js
index 8e133e7f7..62f0aa912 100644
--- a/tests/compiler.js
+++ b/tests/compiler.js
@@ -1976,6 +1976,16 @@
       finish(done);
     });
 
+    it('should autoescape backslashes', function(done) {
+      equal(
+        '{{ foo }}',
+        { foo: 'foo \\\' bar' },
+        { autoescape: true },
+        'foo &#92;&#39; bar');
+
+      finish(done);
+    });
+
     it('should not autoescape when extension set false', function(done) {
       function TestExtension() {
         // jshint validthis: true
@@ -2031,7 +2041,7 @@
     });
 
     it('should render regexs', function(done) {
-      equal('{{ r/name [0-9] \\// }}',
+      equal('{{ r/name [0-9] \\// }}', {}, { autoescape: false },
         '/name [0-9] \\//');
 
       equal('{{ r/x/gi }}',
diff --git a/tests/filters.js b/tests/filters.js
index 6a975a185..554c10dd1 100644
--- a/tests/filters.js
+++ b/tests/filters.js
@@ -108,9 +108,9 @@
 
     it('escape', function() {
       equal(
-        '{{ "<html>" | escape }}', {},
+        '{{ "<html>\\\\" | escape }}', {},
         { autoescape: false },
-        '&lt;html&gt;');
+        '&lt;html&gt;&#92;');
     });
 
     it('escape skip safe', function() {