[release-branch.go1] html, exp/html: escape ' and " as ' and "…

…, since IE8 and

««« backport a70135896879
html, exp/html: escape ' and " as ' and ", since IE8 and
below do not support '.

This makes package html consistent with package text/template's
HTMLEscape function.

Fixes #3489.

R=rsc, mikesamuel, dsymonds
CC=golang-dev
https://golang.org/cl/5992071
»»»

src/pkg/html/escape.go

@@ -210,13 +210,15 @@ func escape(w writer, s string) error {
 		case '&':
 			esc = "&"
 		case '\'':
-			esc = "'"
+			// "'" is shorter than "'" and apos was not in HTML until HTML5.
+			esc = "'"
 		case '<':
 			esc = "&lt;"
 		case '>':
 			esc = "&gt;"
 		case '"':
-			esc = "&quot;"
+			// "&#34;" is shorter than "&quot;".
+			esc = "&#34;"
 		default:
 			panic("unrecognized escape character")
 		}
@@ -231,7 +233,7 @@ func escape(w writer, s string) error {
 }
 
 // EscapeString escapes special characters like "<" to become "&lt;". It
-// escapes only five such characters: amp, apos, lt, gt and quot.
+// escapes only five such characters: <, >, &, ' and ".
 // UnescapeString(EscapeString(s)) == s always holds, but the converse isn't
 // always true.
 func EscapeString(s string) string {

src/pkg/net/http/server.go

@@ -785,8 +785,10 @@ var htmlReplacer = strings.NewReplacer(
 	"&", "&",
 	"<", "&lt;",
 	">", "&gt;",
-	`"`, "&quot;",
-	"'", "&apos;",
+	// "&#34;" is shorter than "&quot;".
+	`"`, "&#34;",
+	// "&#39;" is shorter than "&apos;" and apos was not in HTML until HTML5.
+	"'", "&#39;",
 )
 
 func htmlEscape(s string) string {

src/pkg/text/template/funcs.go

@@ -246,7 +246,7 @@ func not(arg interface{}) (truth bool) {
 
 var (
 	htmlQuot = []byte(""") // shorter than """
-	htmlApos = []byte("'") // shorter than "'"
+	htmlApos = []byte("'") // shorter than "'" and apos was not in HTML until HTML5
 	htmlAmp  = []byte("&")
 	htmlLt   = []byte("<")
 	htmlGt   = []byte(">")