Strict escaping of ampersands

mustache.js

@@ -63,7 +63,7 @@ var Mustache = (typeof module !== "undefined" && module.exports) || {};
   };
 
   function escapeHtml(string) {
-    return String(string).replace(/&(?!\w+;)|[<>"']/g, function (s) {
+    return String(string).replace(/[&<>"']/g, function (s) {
       return entityMap[s];
     });
   }

test/_files/dot_notation.mustache

@@ -1,8 +1,8 @@
 <!-- exciting part -->
 <h1>{{name}}</h1>
 <p>Authors: <ul>{{#authors}}<li>{{.}}</li>{{/authors}}</ul></p>
-<p>Price: {{price.currency.symbol}}{{price.value}} {{#price.currency}}{{name}} <b>{{availability.text}}</b>{{/price.currency}}</p>
-<p>VAT: {{price.currency.symbol}}{{#price}}{{vat}}{{/price}}</p>
+<p>Price: {{{price.currency.symbol}}}{{price.value}} {{#price.currency}}{{name}} <b>{{availability.text}}</b>{{/price.currency}}</p>
+<p>VAT: {{{price.currency.symbol}}}{{#price}}{{vat}}{{/price}}</p>
 <!-- boring part -->
 <h2>Test truthy false values:</h2>
 <p>Zero: {{truthy.zero}}</p>

test/_files/escaped.mustache

@@ -1,2 +1,2 @@
 <h1>{{title}}</h1>
-But not {{entities}}.
+And even {{entities}}, but not {{{entities}}}.

test/_files/escaped.txt

@@ -1,2 +1,2 @@
 <h1>Bear &gt; Shark</h1>
-But not &quot;.
+And even &amp;quot;, but not &quot;.