From 67b2a0cfefb9aecf04dc46a689c22415ceecd80e Mon Sep 17 00:00:00 2001
From: adon <adon@yahoo-inc.com>
Date: Thu, 12 Mar 2015 17:13:49 +0800
Subject: [PATCH 1/2] publish as release v1.0.6

- improved speed of yubl() based on
http://jsperf.com/lazy-regexp-parsing
- added grave accent ` handling in y() and yavu()
- code cleanup to shrink space
---
 README.md                         |  14 ++--
 dist/xss-filters.1.0.6.min.js     |   5 ++
 dist/xss-filters.js               |   4 +-
 dist/xss-filters.min.js           |   4 +-
 package.json                      |   2 +-
 src/xss-filters.js                |  49 +++++---------
 tests/unit/private-xss-filters.js |  66 ++++--------------
 tests/unit/xss-filters.js         | 107 +++++++++++++++++-------------
 tests/utils.js                    |  18 ++++-
 9 files changed, 122 insertions(+), 147 deletions(-)
 create mode 100644 dist/xss-filters.1.0.6.min.js

diff --git a/README.md b/README.md
index 33f8bfb..7f6b988 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Secure XSS Filters
 
   `document.write("<a href=" + xssFilters.uriInUnquotedAttr(url) + ">" + xssFilters.uriInHTMLData(url) + "</a>");`
 
-  In this example, the traditional wisdom of blindly escaping the five well-known characters (`&` `<` `>` `'` `"`) would not stop XSS (e.g., when `url` is equal to `javascript:alert(1)` or ` onclick=alert(1)`).
+  In this example, the traditional wisdom of blindly escaping the five well-known characters (`&` `<` `>` `'` `"` `` ` ``) would not stop XSS (e.g., when `url` is equal to `javascript:alert(1)` or ` onclick=alert(1)`).
 
 - **Just Sufficient Encoding.** Encode the *minimal* set of characters to thwart JavaScript executions, thus preventing XSS attacks while keeping most characters intact. Say goodbye to double-encoding problems such as '&amp;amp;lt;', as often resulted from traditional filters!!
 
@@ -47,6 +47,8 @@ app.get('/', function(req, res){
 Simply download the latest minified version from the [`dist/`](./dist) folder. Embed it in your HTML file, and all filters are available in a global object called `xssFilters`.
 
 ```html
+<!doctype html><!-- You need HTML 5 mode for browser -->
+...
 <script src="dist/xss-filters.min.js"></script>
 <script>
 var firstname = "..."; //an untrusted input collected from user
@@ -72,11 +74,11 @@ and retrieve your data with `document.getElementById('strJS').value`.
 ### The API
 
 There are five context-sensitive filters for generic input:
- - `<div>``{{{inHTMLData data}}}``</div>`
- - `<!--``{{{inHTMLComment comment}}}``-->`
- - `<input value='``{{{inSingleQuotedAttr value}}}``'/>`
- - `<input value="``{{{inDoubleQuotedAttr value}}}``"/>`
- - `<input value=``{{{inUnQuotedAttr value}}}``/>`
+ - `<div>` `{{{inHTMLData data}}}` `</div>`
+ - `<!--` `{{{inHTMLComment comment}}}` `-->`
+ - `<input value='` `{{{inSingleQuotedAttr value}}}` `'/>`
+ - `<input value="` `{{{inDoubleQuotedAttr value}}}` `"/>`
+ - `<input value=` `{{{inUnQuotedAttr value}}}` `/>`
 
 > Here we use {{{ }}} to indicate output expression to ease illustrations
 
diff --git a/dist/xss-filters.1.0.6.min.js b/dist/xss-filters.1.0.6.min.js
new file mode 100644
index 0000000..2f0b9b7
--- /dev/null
+++ b/dist/xss-filters.1.0.6.min.js
@@ -0,0 +1,5 @@
+/**
+ * xss-filters - v1.0.6
+ * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms.
+ */
+!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a="undefined",b="null",c=/</g,d=/\"/g,e=/\'/g,f=/[&<>"'`]/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["'`]/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=/^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|&#0*(?:[1-9]|[1-2][0-9]|30|31|32);?|&Tab;|&NewLine;)*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|&#0*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:b|B|&#[xX]0*(?:6|4)2;?|&#0*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:s|S|&#[xX]0*(?:7|5)3;?|&#0*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:c|C|&#[xX]0*(?:6|4)3;?|&#0*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:r|R|&#[xX]0*(?:7|5)2;?|&#0*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:i|I|&#[xX]0*(?:6|4)9;?|&#0*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:p|P|&#[xX]0*(?:7|5)0;?|&#0*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:t|T|&#[xX]0*(?:7|5)4;?|&#0*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)/,l=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&amp;":"<"===a?"&lt;":">"===a?"&gt;":'"'===a?"&quot;":"'"===a?"&#39;":"&#96;"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"&lt;")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,"&quot;")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"&#39;")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return"	"===a?"&#9;":"\n"===a?"&#10;":"\f"===a?"&#12;":" "===a?"&#32;":"&gt;"}),c=c.replace(h,function(a){return'"'===a?"&quot;":"'"===a?"&#39;":"&#96;"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:k.test(a)?"x-"+a:a},yufull:function(a){return encodeURI(a).replace(l,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}());
\ No newline at end of file
diff --git a/dist/xss-filters.js b/dist/xss-filters.js
index 7f15255..1d88339 100644
--- a/dist/xss-filters.js
+++ b/dist/xss-filters.js
@@ -1,5 +1,5 @@
 /**
- * xss-filters - v1.0.5
+ * xss-filters - v1.0.6
  * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms.
  */
-!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g<d.length;g++)e(d[g]);return e}({1:[function(a,b,c){function d(a,b,c){return e.yubl(b((c||e.yufull)(a)))}c._getPrivFilters=function(){var a="undefined",b="null",c=/</g,d=/\"/g,e=/\'/g,f=/[&<>"']/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["']/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=null,l="^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|&#0*(?:[1-9]|[1-2][0-9]|30|31|32);?|&Tab;|&NewLine;)*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|&#0*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:b|B|&#[xX]0*(?:6|4)2;?|&#0*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:s|S|&#[xX]0*(?:7|5)3;?|&#0*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:c|C|&#[xX]0*(?:6|4)3;?|&#0*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:r|R|&#[xX]0*(?:7|5)2;?|&#0*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:i|I|&#[xX]0*(?:6|4)9;?|&#0*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:p|P|&#[xX]0*(?:7|5)0;?|&#0*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:t|T|&#[xX]0*(?:7|5)4;?|&#0*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)",m=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{FILTER_NOT_HANDLE:"y",FILTER_DATA:"yd",FILTER_COMMENT:"yc",FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED:"yavd",FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED:"yavs",FILTER_ATTRIBUTE_VALUE_UNQUOTED:"yavu",FILTER_ENCODE_URI:"yu",FILTER_ENCODE_URI_COMPONENT:"yuc",FILTER_URI_SCHEME_BLACKLIST:"yubl",FILTER_FULL_URI:"yufull",y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&amp;":"<"===a?"&lt;":">"===a?"&gt;":'"'===a?"&quot;":"&#39;"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"&lt;")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,"&quot;")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"&#39;")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return"	"===a?"&Tab;":"\n"===a?"&NewLine;":"\f"===a?"&#12;":" "===a?"&#32;":"&gt;"}),c=c.replace(h,function(a){return'"'===a?"&quot;":"&#39;"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:(null===k&&(k=new RegExp(l)),k.test(a)?"x-"+a:a)},yufull:function(a){return encodeURI(a).replace(m,function(a,b){return"//["+b+"]"})}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)});
\ No newline at end of file
+!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.xssFilters=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};b[g][0].call(k.exports,function(a){var c=b[g][1][a];return e(c?c:a)},k,k.exports,a,b,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g<d.length;g++)e(d[g]);return e}({1:[function(a,b,c){function d(a,b,c){return e.yubl(b((c||e.yufull)(a)))}c._getPrivFilters=function(){var a="undefined",b="null",c=/</g,d=/\"/g,e=/\'/g,f=/[&<>"'`]/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["'`]/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=/^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|&#0*(?:[1-9]|[1-2][0-9]|30|31|32);?|&Tab;|&NewLine;)*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|&#0*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:b|B|&#[xX]0*(?:6|4)2;?|&#0*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:s|S|&#[xX]0*(?:7|5)3;?|&#0*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:c|C|&#[xX]0*(?:6|4)3;?|&#0*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:r|R|&#[xX]0*(?:7|5)2;?|&#0*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:i|I|&#[xX]0*(?:6|4)9;?|&#0*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:p|P|&#[xX]0*(?:7|5)0;?|&#0*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:t|T|&#[xX]0*(?:7|5)4;?|&#0*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)/,l=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&amp;":"<"===a?"&lt;":">"===a?"&gt;":'"'===a?"&quot;":"'"===a?"&#39;":"&#96;"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"&lt;")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,"&quot;")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"&#39;")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return"	"===a?"&#9;":"\n"===a?"&#10;":"\f"===a?"&#12;":" "===a?"&#32;":"&gt;"}),c=c.replace(h,function(a){return'"'===a?"&quot;":"'"===a?"&#39;":"&#96;"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:k.test(a)?"x-"+a:a},yufull:function(a){return encodeURI(a).replace(l,function(a,b){return"//["+b+"]"})}}};var e=c._privFilters=c._getPrivFilters();c.inHTMLData=e.yd,c.inHTMLComment=e.yc,c.inSingleQuotedAttr=e.yavs,c.inDoubleQuotedAttr=e.yavd,c.inUnQuotedAttr=e.yavu,c.uriInSingleQuotedAttr=function(a){return d(a,e.yavs)},c.uriInDoubleQuotedAttr=function(a){return d(a,e.yavd)},c.uriInUnQuotedAttr=function(a){return d(a,e.yavu)},c.uriInHTMLData=e.yufull,c.uriInHTMLComment=function(a){return e.yc(e.yufull(a))},c.uriPathInSingleQuotedAttr=function(a){return d(a,e.yavs,e.yu)},c.uriPathInDoubleQuotedAttr=function(a){return d(a,e.yavd,e.yu)},c.uriPathInUnQuotedAttr=function(a){return d(a,e.yavu,e.yu)},c.uriPathInHTMLData=e.yu,c.uriPathInHTMLComment=function(a){return e.yc(e.yu(a))},c.uriQueryInSingleQuotedAttr=c.uriPathInSingleQuotedAttr,c.uriQueryInDoubleQuotedAttr=c.uriPathInDoubleQuotedAttr,c.uriQueryInUnQuotedAttr=c.uriPathInUnQuotedAttr,c.uriQueryInHTMLData=c.uriPathInHTMLData,c.uriQueryInHTMLComment=c.uriPathInHTMLComment,c.uriComponentInSingleQuotedAttr=function(a){return e.yavs(e.yuc(a))},c.uriComponentInDoubleQuotedAttr=function(a){return e.yavd(e.yuc(a))},c.uriComponentInUnQuotedAttr=function(a){return e.yavu(e.yuc(a))},c.uriComponentInHTMLData=e.yuc,c.uriComponentInHTMLComment=function(a){return e.yc(e.yuc(a))},c.uriFragmentInSingleQuotedAttr=function(a){return e.yubl(e.yavs(e.yuc(a)))},c.uriFragmentInDoubleQuotedAttr=function(a){return e.yubl(e.yavd(e.yuc(a)))},c.uriFragmentInUnQuotedAttr=function(a){return e.yubl(e.yavu(e.yuc(a)))},c.uriFragmentInHTMLData=c.uriComponentInHTMLData,c.uriFragmentInHTMLComment=c.uriComponentInHTMLComment},{}]},{},[1])(1)});
\ No newline at end of file
diff --git a/dist/xss-filters.min.js b/dist/xss-filters.min.js
index daa192c..2f0b9b7 100644
--- a/dist/xss-filters.min.js
+++ b/dist/xss-filters.min.js
@@ -1,5 +1,5 @@
 /**
- * xss-filters - v1.0.5
+ * xss-filters - v1.0.6
  * Yahoo! Inc. Copyrights licensed under the New BSD License. See the accompanying LICENSE file for terms.
  */
-!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a="undefined",b="null",c=/</g,d=/\"/g,e=/\'/g,f=/[&<>"']/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["']/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=null,l="^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|&#0*(?:[1-9]|[1-2][0-9]|30|31|32);?|&Tab;|&NewLine;)*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|&#0*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:b|B|&#[xX]0*(?:6|4)2;?|&#0*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:s|S|&#[xX]0*(?:7|5)3;?|&#0*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:c|C|&#[xX]0*(?:6|4)3;?|&#0*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:r|R|&#[xX]0*(?:7|5)2;?|&#0*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:i|I|&#[xX]0*(?:6|4)9;?|&#0*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:p|P|&#[xX]0*(?:7|5)0;?|&#0*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:t|T|&#[xX]0*(?:7|5)4;?|&#0*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)",m=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{FILTER_NOT_HANDLE:"y",FILTER_DATA:"yd",FILTER_COMMENT:"yc",FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED:"yavd",FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED:"yavs",FILTER_ATTRIBUTE_VALUE_UNQUOTED:"yavu",FILTER_ENCODE_URI:"yu",FILTER_ENCODE_URI_COMPONENT:"yuc",FILTER_URI_SCHEME_BLACKLIST:"yubl",FILTER_FULL_URI:"yufull",y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&amp;":"<"===a?"&lt;":">"===a?"&gt;":'"'===a?"&quot;":"&#39;"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"&lt;")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,"&quot;")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"&#39;")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return"	"===a?"&Tab;":"\n"===a?"&NewLine;":"\f"===a?"&#12;":" "===a?"&#32;":"&gt;"}),c=c.replace(h,function(a){return'"'===a?"&quot;":"&#39;"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:(null===k&&(k=new RegExp(l)),k.test(a)?"x-"+a:a)},yufull:function(a){return encodeURI(a).replace(m,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}());
\ No newline at end of file
+!function(a,b){function c(a,b,c){return d.yubl(b((c||d.yufull)(a)))}b.xssFilters=a,a._getPrivFilters=function(){var a="undefined",b="null",c=/</g,d=/\"/g,e=/\'/g,f=/[&<>"'`]/g,g=/(--!?>|--?!?$|\]>|\]$)/g,h=/^["'`]/,i=/[\t\n\f >]/g,j=["&","j","J","v","V"],k=/^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|&#0*(?:[1-9]|[1-2][0-9]|30|31|32);?|&Tab;|&NewLine;)*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|&#0*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:b|B|&#[xX]0*(?:6|4)2;?|&#0*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:s|S|&#[xX]0*(?:7|5)3;?|&#0*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:c|C|&#[xX]0*(?:6|4)3;?|&#0*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:r|R|&#[xX]0*(?:7|5)2;?|&#0*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:i|I|&#[xX]0*(?:6|4)9;?|&#0*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:p|P|&#[xX]0*(?:7|5)0;?|&#0*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:t|T|&#[xX]0*(?:7|5)4;?|&#0*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)/,l=/\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;return{y:function(c){return typeof c===a?a:null===c?b:c.toString().replace(f,function(a){return"&"===a?"&amp;":"<"===a?"&lt;":">"===a?"&gt;":'"'===a?"&quot;":"'"===a?"&#39;":"&#96;"})},yd:function(d){return typeof d===a?a:null===d?b:d.toString().replace(c,"&lt;")},yc:function(c){return typeof c===a?a:null===c?b:c.toString().replace(g,function(a){return"-->"===a?"-- >":"--!>"===a?"--! >":"--!"===a?"--! ":"--"===a?"-- ":"-"===a?"- ":"]>"===a?"] >":"] "})},yavd:function(c){return typeof c===a?a:null===c?b:c.toString().replace(d,"&quot;")},yavs:function(c){return typeof c===a?a:null===c?b:c.toString().replace(e,"&#39;")},yavu:function(c){return typeof c===a?a:null===c?b:(c=c.toString().replace(i,function(a){return"	"===a?"&#9;":"\n"===a?"&#10;":"\f"===a?"&#12;":" "===a?"&#32;":"&gt;"}),c=c.replace(h,function(a){return'"'===a?"&quot;":"'"===a?"&#39;":"&#96;"}),""===c?"\x00":c)},yu:encodeURI,yuc:encodeURIComponent,yubl:function(a){return-1===j.indexOf(a[0])?a:k.test(a)?"x-"+a:a},yufull:function(a){return encodeURI(a).replace(l,function(a,b){return"//["+b+"]"})}}};var d=a._privFilters=a._getPrivFilters();a.inHTMLData=d.yd,a.inHTMLComment=d.yc,a.inSingleQuotedAttr=d.yavs,a.inDoubleQuotedAttr=d.yavd,a.inUnQuotedAttr=d.yavu,a.uriInSingleQuotedAttr=function(a){return c(a,d.yavs)},a.uriInDoubleQuotedAttr=function(a){return c(a,d.yavd)},a.uriInUnQuotedAttr=function(a){return c(a,d.yavu)},a.uriInHTMLData=d.yufull,a.uriInHTMLComment=function(a){return d.yc(d.yufull(a))},a.uriPathInSingleQuotedAttr=function(a){return c(a,d.yavs,d.yu)},a.uriPathInDoubleQuotedAttr=function(a){return c(a,d.yavd,d.yu)},a.uriPathInUnQuotedAttr=function(a){return c(a,d.yavu,d.yu)},a.uriPathInHTMLData=d.yu,a.uriPathInHTMLComment=function(a){return d.yc(d.yu(a))},a.uriQueryInSingleQuotedAttr=a.uriPathInSingleQuotedAttr,a.uriQueryInDoubleQuotedAttr=a.uriPathInDoubleQuotedAttr,a.uriQueryInUnQuotedAttr=a.uriPathInUnQuotedAttr,a.uriQueryInHTMLData=a.uriPathInHTMLData,a.uriQueryInHTMLComment=a.uriPathInHTMLComment,a.uriComponentInSingleQuotedAttr=function(a){return d.yavs(d.yuc(a))},a.uriComponentInDoubleQuotedAttr=function(a){return d.yavd(d.yuc(a))},a.uriComponentInUnQuotedAttr=function(a){return d.yavu(d.yuc(a))},a.uriComponentInHTMLData=d.yuc,a.uriComponentInHTMLComment=function(a){return d.yc(d.yuc(a))},a.uriFragmentInSingleQuotedAttr=function(a){return d.yubl(d.yavs(d.yuc(a)))},a.uriFragmentInDoubleQuotedAttr=function(a){return d.yubl(d.yavd(d.yuc(a)))},a.uriFragmentInUnQuotedAttr=function(a){return d.yubl(d.yavu(d.yuc(a)))},a.uriFragmentInHTMLData=a.uriComponentInHTMLData,a.uriFragmentInHTMLComment=a.uriComponentInHTMLComment}({},function(){return this}());
\ No newline at end of file
diff --git a/package.json b/package.json
index 4c6f4ae..59f7313 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "xss-filters",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "licenses": [
     {
       "type": "BSD",
diff --git a/src/xss-filters.js b/src/xss-filters.js
index 4002f7d..82ea0e8 100644
--- a/src/xss-filters.js
+++ b/src/xss-filters.js
@@ -16,12 +16,12 @@ exports._getPrivFilters = function () {
         LT     = /</g,
         QUOT   = /\"/g,
         SQUOT  = /\'/g,
-        SPECIAL_HTML_CHARS = /[&<>"']/g;
+        SPECIAL_HTML_CHARS = /[&<>"'`]/g;
 
     var COMMENT_SENSITIVE_CHARS = /(--!?>|--?!?$|\]>|\]$)/g;
 
     // Reference: https://html.spec.whatwg.org/multipage/syntax.html#before-attribute-value-state
-    var BEFORE_ATTR_VALUE_CHARS = /^["']/;
+    var BEFORE_ATTR_VALUE_CHARS = /^["'`]/;
     var ATTR_VALUE_UNQUOTED_CHARS = /[\t\n\f >]/g;
 
     // Reference: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Null_breaks_up_JavaScript_directive
@@ -111,35 +111,21 @@ exports._getPrivFilters = function () {
     */
 
     var URI_SLOWLANE = ['&', 'j', 'J', 'v', 'V'],
-        URI_BLACKLIST = null, 
         // delay building URI_BLACKLIST as an RegExp() object until the first hit
         // the following str is generated by the above commented logic
-        URI_BLACKLIST_REGEXPSTR = "^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|&#0*(?:[1-9]|[1-2][0-9]|30|31|32);?|&Tab;|&NewLine;)*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|&#0*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:b|B|&#[xX]0*(?:6|4)2;?|&#0*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:s|S|&#[xX]0*(?:7|5)3;?|&#0*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:c|C|&#[xX]0*(?:6|4)3;?|&#0*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:r|R|&#[xX]0*(?:7|5)2;?|&#0*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:i|I|&#[xX]0*(?:6|4)9;?|&#0*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:p|P|&#[xX]0*(?:7|5)0;?|&#0*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:t|T|&#[xX]0*(?:7|5)4;?|&#0*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)";
+        URI_BLACKLIST_REGEXP = /^(?:&#[xX]0*(?:1?[1-9a-fA-F]|10|20);?|&#0*(?:[1-9]|[1-2][0-9]|30|31|32);?|&Tab;|&NewLine;)*(?:(?:j|J|&#[xX]0*(?:6|4)[aA];?|&#0*(?:106|74);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:a|A|&#[xX]0*(?:6|4)1;?|&#0*(?:97|65);?)|(?:v|V|&#[xX]0*(?:7|5)6;?|&#0*(?:118|86);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:b|B|&#[xX]0*(?:6|4)2;?|&#0*(?:98|66);?))(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:s|S|&#[xX]0*(?:7|5)3;?|&#0*(?:115|83);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:c|C|&#[xX]0*(?:6|4)3;?|&#0*(?:99|67);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:r|R|&#[xX]0*(?:7|5)2;?|&#0*(?:114|82);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:i|I|&#[xX]0*(?:6|4)9;?|&#0*(?:105|73);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:p|P|&#[xX]0*(?:7|5)0;?|&#0*(?:112|80);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?:t|T|&#[xX]0*(?:7|5)4;?|&#0*(?:116|84);?)(?:&#[xX]0*[9aAdD];?|&#0*(?:9|10|13);?|&Tab;|&NewLine;)*(?::|&#[xX]0*3[aA];?|&#0*58;?|&colon;)/;
 
     // Given a full URI, need to support "[" ( IPv6address ) "]" in URI as per RFC3986
     // Reference: https://tools.ietf.org/html/rfc3986
     var URL_IPV6 = /\/\/%5[Bb]([A-Fa-f0-9:]+)%5[Dd]/;
 
     return {
-
-        // TODO: remove the following mappings 
-        FILTER_NOT_HANDLE: "y",
-        FILTER_DATA: "yd",
-        FILTER_COMMENT: "yc",
-        FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED: "yavd",
-        FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED: "yavs",
-        FILTER_ATTRIBUTE_VALUE_UNQUOTED: "yavu",
-        FILTER_ENCODE_URI: "yu",
-        FILTER_ENCODE_URI_COMPONENT: "yuc",
-        FILTER_URI_SCHEME_BLACKLIST: "yubl",
-        FILTER_FULL_URI: "yufull",
-
         /*
          * @param {string} s - An untrusted user input
-         * @returns {string} s - The original user input with & < > " ' encoded respectively as &amp; &lt; &gt; &quot; and &#39;.
+         * @returns {string} s - The original user input with & < > " ' ` encoded respectively as &amp; &lt; &gt; &quot; &#39; and &#96;.
          *
          * @description
-         * <p>This filter is a fallback to use the standard HTML escaping (i.e., encoding &<>"')
+         * <p>This filter is a fallback to use the standard HTML escaping (i.e., encoding &<>"'`)
          * in contexts that are currently not handled by the automatic context-sensitive templating solution.</p>
          *
          * Workaround this problem by following the suggestion below:
@@ -156,7 +142,8 @@ exports._getPrivFilters = function () {
                         if (m === '<')      { return '&lt;';   }
                         if (m === '>')      { return '&gt;';   }
                         if (m === '"')      { return '&quot;'; }
-                        /* if (m === "'") */  return '&#39;';
+                        if (m === "'")      { return '&#39;';  }
+                        /*if (m === '`')*/    return '&#96;';       // in hex: 60
                     });
         },
 
@@ -175,6 +162,8 @@ exports._getPrivFilters = function () {
         // Reference: https://html.spec.whatwg.org/multipage/syntax.html#comment-state
         // ']>' and 'ends with ]' patterns deal with IE conditional comments. verified in IE that '] >' can stop that.
         // Reference: http://msdn.microsoft.com/en-us/library/ms537512%28v=vs.85%29.aspx
+        // We do not care --\s>, which can possibly be intepreted as a valid close comment tag in very old browsers (e.g., firefox 3.6), as specified in the html4 spec
+        // Reference: http://www.w3.org/TR/html401/intro/sgmltut.html#h-3.2.4
         yc: function (s) {
             return typeof s === STR_UD ? STR_UD
                  : s === null          ? STR_NL
@@ -216,8 +205,8 @@ exports._getPrivFilters = function () {
             if (s === null)          { return STR_NL; }
 
             s = s.toString().replace(ATTR_VALUE_UNQUOTED_CHARS, function (m) {
-                if (m === '\t')    { return '&Tab;';     }
-                if (m === '\n')    { return '&NewLine;'; }
+                if (m === '\t')    { return '&#9;';      } // in hex: 09
+                if (m === '\n')    { return '&#10;';     } // in hex: 0A
                 if (m === '\f')    { return '&#12;';     } // in hex: 0C
                 if (m === ' ')     { return '&#32;';     } // in hex: 20
                 /*if (m === '>')*/   return '&gt;';
@@ -230,7 +219,8 @@ exports._getPrivFilters = function () {
             // Reference: https://html.spec.whatwg.org/multipage/syntax.html#before-attribute-value-state
             s = s.replace(BEFORE_ATTR_VALUE_CHARS, function (m) {
                 if (m === '"')     { return '&quot;'; }
-                /*if (m === "'")*/   return '&#39;';
+                if (m === "'")     { return '&#39;';  }
+                /*if (m === '`')*/   return '&#96;';       // in hex: 60
             });
 
             // Inject NULL character if an empty string is encountered in 
@@ -274,16 +264,9 @@ exports._getPrivFilters = function () {
             // assumption: s has gone through yavd/yavs/yavu(encodeURI/encodeURIComponent(s))
             // chars like whitespaces are already turned to %-encoding
             // so, let go if the first char is not &, j, J, v nor V
-            if (URI_SLOWLANE.indexOf(s[0]) === -1) {
-                return s;
-            }
-            
-            // build URI_BLACKLIST as a RegExp() object
-            if (URI_BLACKLIST === null) {
-                URI_BLACKLIST = new RegExp(URI_BLACKLIST_REGEXPSTR);
-            }
-
-            return URI_BLACKLIST.test(s) ? 'x-' + s : s;
+            return (URI_SLOWLANE.indexOf(s[0]) === -1) ? s 
+                    : URI_BLACKLIST_REGEXP.test(s) ? 'x-' + s 
+                    : s;
         },
 
         // This is NOT a security-critical filter.
diff --git a/tests/unit/private-xss-filters.js b/tests/unit/private-xss-filters.js
index a4195c0..7ef86f1 100644
--- a/tests/unit/private-xss-filters.js
+++ b/tests/unit/private-xss-filters.js
@@ -87,51 +87,6 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
         });
     });
 
-
-    describe("private-xss-filters: mapping tests", function() {
-
-        // TODO: remove the following mapping test when the mapping is removed
-        it('filter yd exists', function() {
-            expect(filter.FILTER_DATA).to.eql('yd');
-        });
-
-        it('filter yc exists', function() {
-            expect(filter.FILTER_COMMENT).to.eql('yc');
-        });
-
-        it('filter yavu exists', function() {
-            expect(filter.FILTER_ATTRIBUTE_VALUE_UNQUOTED).to.eql('yavu');
-        });
-
-        it('filter yavs exists', function() {
-            expect(filter.FILTER_ATTRIBUTE_VALUE_SINGLE_QUOTED).to.eql('yavs');
-        });
-
-        it('filter yavd exists', function() {
-            expect(filter.FILTER_ATTRIBUTE_VALUE_DOUBLE_QUOTED).to.eql('yavd');
-        });
-
-        it('filter yu exists', function() {
-            expect(filter.FILTER_ENCODE_URI).to.eql('yu');
-        });
-
-        it('filter yuc exists', function() {
-            expect(filter.FILTER_ENCODE_URI_COMPONENT).to.eql('yuc');
-        });
-
-        it('filter yubl exists', function() {
-            expect(filter.FILTER_URI_SCHEME_BLACKLIST).to.eql('yubl');
-        });
-
-        it('filter yufull exists', function() {
-            expect(filter.FILTER_FULL_URI).to.eql('yufull');
-        });
-
-        it('filter y exists', function() {
-            expect(filter.FILTER_NOT_HANDLE).to.eql('y');
-        });
-    });
-
     describe("private-xss-filters: error and data type tests", function() {
 
         // an feature indicator of which encodeURI() and encodeURIComponent is used
@@ -226,9 +181,9 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
     describe("private-xss-filters: unchained state transition tests", function() {
         
         it('filter y state transition test', function() {
-            var s = "foo&<>\"' bar&<>\"'";
+            var s = "foo&<>\"'` bar&<>\"' &lt;";
             var o = filter.y(s);
-            expect(o).to.eql('foo&amp;&lt;&gt;&quot;&#39; bar&amp;&lt;&gt;&quot;&#39;');
+            expect(o).to.eql('foo&amp;&lt;&gt;&quot;&#39;&#96; bar&amp;&lt;&gt;&quot;&#39; &amp;lt;');
         });
 
         it('filter yd state transition test', function() {
@@ -247,23 +202,26 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
 
         it('filter yav-single-quoted state transition test', function() {
             testutils.test_yav(filter.yavs, [
-                'foo&<>&#39;" \t\n\f', '\f', '',
+                'foo&<>&#39;"` \t\n\f', '\f', '',
                 '&#39;&#39;', ' &#39;&#39;', '\t&#39;&#39;', '\n&#39;&#39;', '\f&#39;&#39;',
-                '""',         ' ""',         '\t""',         '\n""',         '\f""']);
+                '""',         ' ""',         '\t""',         '\n""',         '\f""',
+                '``',         ' ``',         '\t``',         '\n``',         '\f``']);
         });
 
         it('filter yav-double-quoted state transition test', function() {
             testutils.test_yav(filter.yavd, [
-                'foo&<>\'&quot; \t\n\f', '\f', '',
+                'foo&<>\'&quot;` \t\n\f', '\f', '',
                 "''",           " ''",           "\t''",           "\n''",           "\f''", 
-                '&quot;&quot;', ' &quot;&quot;', '\t&quot;&quot;', '\n&quot;&quot;', '\f&quot;&quot;']);
+                '&quot;&quot;', ' &quot;&quot;', '\t&quot;&quot;', '\n&quot;&quot;', '\f&quot;&quot;',
+                '``',           ' ``',           '\t``',           '\n``',           '\f``']);
         });
         
         it('filter yav-unquoted state transition test', function() {
             testutils.test_yav(filter.yavu, [
-                'foo&<&gt;\'"&#32;&Tab;&NewLine;&#12;', '&#12;', '\u0000',
-                "&#39;'",  "&#32;''", "&Tab;''", "&NewLine;''", "&#12;''",
-                '&quot;"', '&#32;""', '&Tab;""', '&NewLine;""', '&#12;""']);
+                'foo&<&gt;\'"`&#32;&#9;&#10;&#12;', '&#12;', '\u0000',
+                "&#39;'",  "&#32;''", "&#9;''", "&#10;''", "&#12;''",
+                '&quot;"', '&#32;""', '&#9;""', '&#10;""', '&#12;""',
+                '&#96;`',  '&#32;``', '&#9;``', '&#10;``', '&#12;``']);
         });
 
         it('filter yu state transition test', function() {
diff --git a/tests/unit/xss-filters.js b/tests/unit/xss-filters.js
index 2cfdf92..0e37083 100644
--- a/tests/unit/xss-filters.js
+++ b/tests/unit/xss-filters.js
@@ -187,9 +187,10 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
          */
         it('filter inSingleQuotedAttr state transition test', function() {
             testutils.test_yav(filter.inSingleQuotedAttr, [
-                'foo&<>&#39;" \t\n\f', '\f', '',
+                'foo&<>&#39;"` \t\n\f', '\f', '',
                 '&#39;&#39;', ' &#39;&#39;', '\t&#39;&#39;', '\n&#39;&#39;', '\f&#39;&#39;',
-                '""',         ' ""',         '\t""',         '\n""',         '\f""']);
+                '""',         ' ""',         '\t""',         '\n""',         '\f""',
+                '``',         ' ``',         '\t``',         '\n``',         '\f``']);
         });
 
         /*
@@ -198,9 +199,10 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
          */
         it('filter inDoubleQuotedAttr state transition test', function() {
             testutils.test_yav(filter.inDoubleQuotedAttr, [
-                'foo&<>\'&quot; \t\n\f', '\f', '',
+                'foo&<>\'&quot;` \t\n\f', '\f', '',
                 "''",           " ''",           "\t''",           "\n''",           "\f''", 
-                '&quot;&quot;', ' &quot;&quot;', '\t&quot;&quot;', '\n&quot;&quot;', '\f&quot;&quot;']);
+                '&quot;&quot;', ' &quot;&quot;', '\t&quot;&quot;', '\n&quot;&quot;', '\f&quot;&quot;',
+                '``',           ' ``',           '\t``',           '\n``',           '\f``']);
         });
         
         /*
@@ -209,38 +211,42 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
          */
         it('filter inUnQuotedAttr state transition test', function() {
             testutils.test_yav(filter.inUnQuotedAttr, [
-                'foo&<&gt;\'"&#32;&Tab;&NewLine;&#12;', '&#12;', '\u0000',
-                "&#39;'",  "&#32;''", "&Tab;''", "&NewLine;''", "&#12;''",
-                '&quot;"', '&#32;""', '&Tab;""', '&NewLine;""', '&#12;""']);
+                'foo&<&gt;\'"`&#32;&#9;&#10;&#12;', '&#12;', '\u0000',
+                "&#39;'",  "&#32;''", "&#9;''", "&#10;''", "&#12;''",
+                '&quot;"', '&#32;""', '&#9;""', '&#10;""', '&#12;""',
+                '&#96;`',  '&#32;``', '&#9;``', '&#10;``', '&#12;``']);
         });
         
 
 
         
         it('filter uriInSingleQuotedAttr state transition test', function() {
-            // encodeURI('foo&<>\'" \t\n\f') = foo&%3C%3E'%22%20%09%0A%0C
+            // encodeURI('foo&<>\'"` \t\n\f') = foo&%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriInSingleQuotedAttr, [
-                'foo&%3C%3E&#39;%22%20%09%0A%0C', '%0C', '',
+                'foo&%3C%3E&#39;%22%60%20%09%0A%0C', '%0C', '',
                 '&#39;&#39;', '%20&#39;&#39;', '%09&#39;&#39;', '%0A&#39;&#39;', '%0C&#39;&#39;',
-                '%22%22',     '%20%22%22',     '%09%22%22',   '%0A%22%22',     '%0C%22%22']);
+                '%22%22',     '%20%22%22',     '%09%22%22',     '%0A%22%22',     '%0C%22%22',
+                '%60%60',     '%20%60%60',     '%09%60%60',     '%0A%60%60',     '%0C%60%60']);
             testutils.test_yufull(filter.uriInSingleQuotedAttr, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']);
             testutils.test_yubl(filter.uriInSingleQuotedAttr);
         });
         it('filter uriInDoubleQuotedAttr state transition test', function() {
-            // encodeURI('foo&<>\'" \t\n\f') = foo&%3C%3E'%22%20%09%0A%0C
+            // encodeURI('foo&<>\'"` \t\n\f') = foo&%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriInDoubleQuotedAttr, [
-                'foo&%3C%3E\'%22%20%09%0A%0C', '%0C', '',
-                '\'\'',   '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                'foo&%3C%3E\'%22%60%20%09%0A%0C', '%0C', '',
+                '\'\'',   '%20\'\'',   '%09\'\'',   '%0A\'\'',   '%0C\'\'',
+                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yufull(filter.uriInDoubleQuotedAttr, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']);
             testutils.test_yubl(filter.uriInDoubleQuotedAttr);
         });
         it('filter uriInUnQuotedAttr state transition test', function() {
-            // encodeURI('foo&<>\'" \t\n\f') = foo&%3C%3E'%22%20%09%0A%0C
+            // encodeURI('foo&<>\'"` \t\n\f') = foo&%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriInUnQuotedAttr, [
-                'foo&%3C%3E\'%22%20%09%0A%0C', '%0C', '\u0000',
+                'foo&%3C%3E\'%22%60%20%09%0A%0C', '%0C', '\u0000',
                 '&#39;\'', '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60',  '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yufull(filter.uriInUnQuotedAttr, ['http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]']);
             testutils.test_yubl(filter.uriInUnQuotedAttr);
         });
@@ -262,29 +268,32 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
 
 
         it('filter uriPathInSingleQuotedAttr state transition test', function() {
-            // encodeURI('foo&<>\'" \t\n\f') = foo&%3C%3E'%22%20%09%0A%0C
+            // encodeURI('foo&<>\'"` \t\n\f') = foo&%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriPathInSingleQuotedAttr, [
-                'foo&%3C%3E&#39;%22%20%09%0A%0C', '%0C', '',
+                'foo&%3C%3E&#39;%22%60%20%09%0A%0C', '%0C', '',
                 '&#39;&#39;', '%20&#39;&#39;', '%09&#39;&#39;', '%0A&#39;&#39;', '%0C&#39;&#39;',
-                '%22%22',     '%20%22%22',     '%09%22%22',   '%0A%22%22',     '%0C%22%22']);
+                '%22%22',     '%20%22%22',     '%09%22%22',     '%0A%22%22',     '%0C%22%22',
+                '%60%60',     '%20%60%60',     '%09%60%60',     '%0A%60%60',     '%0C%60%60']);
             testutils.test_yu(filter.uriPathInSingleQuotedAttr);
             testutils.test_yubl(filter.uriPathInSingleQuotedAttr);
         });
         it('filter uriPathInDoubleQuotedAttr state transition test', function() {
-            // encodeURI('foo&<>\'" \t\n\f') = foo&%3C%3E'%22%20%09%0A%0C
+            // encodeURI('foo&<>\'"` \t\n\f') = foo&%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriPathInDoubleQuotedAttr, [
-                'foo&%3C%3E\'%22%20%09%0A%0C', '%0C', '',
+                'foo&%3C%3E\'%22%60%20%09%0A%0C', '%0C', '',
                 '\'\'',   '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yu(filter.uriPathInDoubleQuotedAttr);
             testutils.test_yubl(filter.uriPathInDoubleQuotedAttr);
         });
         it('filter uriPathInUnQuotedAttr state transition test', function() {
-            // encodeURI('foo&<>\'" \t\n\f') = foo&%3C%3E'%22%20%09%0A%0C
+            // encodeURI('foo&<>\'"` \t\n\f') = foo&%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriPathInUnQuotedAttr, [
-                'foo&%3C%3E\'%22%20%09%0A%0C', '%0C', '\u0000',
+                'foo&%3C%3E\'%22%60%20%09%0A%0C', '%0C', '\u0000',
                 '&#39;\'', '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60',  '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yu(filter.uriPathInUnQuotedAttr);
             testutils.test_yubl(filter.uriPathInUnQuotedAttr);
         });
@@ -306,27 +315,30 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
 
 
         it('filter uriComponentInSingleQuotedAttr state transition test', function() {
-            // encodeURIComponent('foo&<>\'" \t\n\f') = foo%26%3C%3E'%22%20%09%0A%0C
+            // encodeURIComponent('foo&<>\'"` \t\n\f') = foo%26%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriComponentInSingleQuotedAttr, [
-                'foo%26%3C%3E&#39;%22%20%09%0A%0C', '%0C', '',
+                'foo%26%3C%3E&#39;%22%60%20%09%0A%0C', '%0C', '',
                 '&#39;&#39;', '%20&#39;&#39;', '%09&#39;&#39;', '%0A&#39;&#39;', '%0C&#39;&#39;',
-                '%22%22',     '%20%22%22',     '%09%22%22',   '%0A%22%22',     '%0C%22%22']);
+                '%22%22',     '%20%22%22',     '%09%22%22',     '%0A%22%22',     '%0C%22%22',
+                '%60%60',     '%20%60%60',     '%09%60%60',     '%0A%60%60',     '%0C%60%60']);
             testutils.test_yuc(filter.uriComponentInSingleQuotedAttr);
         });
         it('filter uriComponentInDoubleQuotedAttr state transition test', function() {
-            // encodeURIComponent('foo&<>\'" \t\n\f') = foo%26%3C%3E'%22%20%09%0A%0C
+            // encodeURIComponent('foo&<>\'"` \t\n\f') = foo%26%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriComponentInDoubleQuotedAttr, [
-                'foo%26%3C%3E\'%22%20%09%0A%0C', '%0C', '',
+                'foo%26%3C%3E\'%22%60%20%09%0A%0C', '%0C', '',
                 '\'\'',   '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yuc(filter.uriComponentInDoubleQuotedAttr);
         });
         it('filter uriComponentInUnQuotedAttr state transition test', function() {
-            // encodeURIComponent('foo&<>\'" \t\n\f') = foo%26%3C%3E'%22%20%09%0A%0C
+            // encodeURIComponent('foo&<>\'"` \t\n\f') = foo%26%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriComponentInUnQuotedAttr, [
-                'foo%26%3C%3E\'%22%20%09%0A%0C', '%0C', '\u0000',
+                'foo%26%3C%3E\'%22%60%20%09%0A%0C', '%0C', '\u0000',
                 '&#39;\'', '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60',  '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yuc(filter.uriComponentInUnQuotedAttr);
         });
         it('filter uriComponentInHTMLData state transition test', function() {
@@ -347,27 +359,30 @@ Authors: Nera Liu <neraliu@yahoo-inc.com>
 
 
         it('filter uriFragmentInSingleQuotedAttr state transition test', function() {
-            // encodeuriFragment('foo&<>\'" \t\n\f') = foo%26%3C%3E'%22%20%09%0A%0C
+            // encodeuriFragment('foo&<>\'"` \t\n\f') = foo%26%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriFragmentInSingleQuotedAttr, [
-                'foo%26%3C%3E&#39;%22%20%09%0A%0C', '%0C', '',
+                'foo%26%3C%3E&#39;%22%60%20%09%0A%0C', '%0C', '',
                 '&#39;&#39;', '%20&#39;&#39;', '%09&#39;&#39;', '%0A&#39;&#39;', '%0C&#39;&#39;',
-                '%22%22',     '%20%22%22',     '%09%22%22',   '%0A%22%22',     '%0C%22%22']);
+                '%22%22',     '%20%22%22',     '%09%22%22',     '%0A%22%22',     '%0C%22%22',
+                '%60%60',     '%20%60%60',     '%09%60%60',     '%0A%60%60',     '%0C%60%60']);
             testutils.test_yuc(filter.uriFragmentInSingleQuotedAttr);
         });
         it('filter uriFragmentInDoubleQuotedAttr state transition test', function() {
-            // encodeuriFragment('foo&<>\'" \t\n\f') = foo%26%3C%3E'%22%20%09%0A%0C
+            // encodeuriFragment('foo&<>\'"` \t\n\f') = foo%26%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriFragmentInDoubleQuotedAttr, [
-                'foo%26%3C%3E\'%22%20%09%0A%0C', '%0C', '',
-                '\'\'',   '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                'foo%26%3C%3E\'%22%60%20%09%0A%0C', '%0C', '',
+                '\'\'',   '%20\'\'',   '%09\'\'',   '%0A\'\'',   '%0C\'\'',
+                '%22%22', '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60', '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yuc(filter.uriFragmentInDoubleQuotedAttr);
         });
         it('filter uriFragmentInUnQuotedAttr state transition test', function() {
-            // encodeuriFragment('foo&<>\'" \t\n\f') = foo%26%3C%3E'%22%20%09%0A%0C
+            // encodeuriFragment('foo&<>\'"` \t\n\f') = foo%26%3C%3E'%22%60%20%09%0A%0C
             testutils.test_yav(filter.uriFragmentInUnQuotedAttr, [
-                'foo%26%3C%3E\'%22%20%09%0A%0C', '%0C', '\u0000',
-                '&#39;\'', '%20\'\'',   '%09\'\'',     '%0A\'\'',   '%0C\'\'',
-                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22']);
+                'foo%26%3C%3E\'%22%60%20%09%0A%0C', '%0C', '\u0000',
+                '&#39;\'', '%20\'\'',   '%09\'\'',   '%0A\'\'',   '%0C\'\'',
+                '%22%22',  '%20%22%22', '%09%22%22', '%0A%22%22', '%0C%22%22',
+                '%60%60',  '%20%60%60', '%09%60%60', '%0A%60%60', '%0C%60%60']);
             testutils.test_yuc(filter.uriFragmentInUnQuotedAttr);
         });
         
diff --git a/tests/utils.js b/tests/utils.js
index bd65285..6bab4f2 100644
--- a/tests/utils.js
+++ b/tests/utils.js
@@ -59,15 +59,15 @@ exports.test_yc = function (filter, expectedResults) {
 };
 
 exports.test_yav = function (filter, expectedResults) {
-    if (!expectedResults || expectedResults.length !== 13)
-        throw new Error('must take 13 expected results');
+    if (!expectedResults || expectedResults.length !== 18)
+        throw new Error('must take 18 expected results');
 
     var str, o;
 
     o = filter(123);
     expect(o).to.eql('123');
 
-    str = 'foo&<>\'" \t\n\f';
+    str = 'foo&<>\'"` \t\n\f';
     o = filter(str);
     expect(o).to.eql(expectedResults[0]);
 
@@ -102,6 +102,18 @@ exports.test_yav = function (filter, expectedResults) {
     expect(o).to.eql(expectedResults[11]);
     o = filter('\f""');
     expect(o).to.eql(expectedResults[12]);
+
+    // test if prohibited state change
+    o = filter('``');
+    expect(o).to.eql(expectedResults[13]);
+    o = filter(' ``');
+    expect(o).to.eql(expectedResults[14]);
+    o = filter('\t``');
+    expect(o).to.eql(expectedResults[15]);
+    o = filter('\n``');
+    expect(o).to.eql(expectedResults[16]);
+    o = filter('\f``');
+    expect(o).to.eql(expectedResults[17]);
 };
 
 

From c3a8bf8d4b8baf7b11b5cdd33a616ce331769a1d Mon Sep 17 00:00:00 2001
From: adon <adon@yahoo-inc.com>
Date: Fri, 13 Mar 2015 16:31:54 +0800
Subject: [PATCH 2/2] updated the comment for inUnQuotedAttr

---
 src/xss-filters.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/xss-filters.js b/src/xss-filters.js
index 82ea0e8..04d2afb 100644
--- a/src/xss-filters.js
+++ b/src/xss-filters.js
@@ -392,7 +392,7 @@ exports.inDoubleQuotedAttr = privFilters.yavd;
 * @function module:xss-filters#inUnQuotedAttr
 *
 * @param {string} s - An untrusted user input
-* @returns {string} The string s with any tab, LF, FF, space, and '>' encoded.
+* @returns {string} The string s with any tab, LF, FF, space, and '>' encoded. If the first char is either ' " or `, it is also encoded. If an empty string is encountered, return a NULL character '\u0000'.
 *
 * @description
 * <p class="warning">Warning: This is NOT designed for any onX (e.g., onclick) attributes!</p>