It may be time to re-evaluate ENT_COMPAT vs. ENT_QUOTES

[pinterface]

Escaping single quotes is good because otherwise <tag attr='{{var}}'> is unsafe, even though it's semantically identical to <tag attr="{{var}}">, which is safe. A recipe for disaster!

Also, at least some of the mustache implementations escape single quotes now:

Mustache.js: escapes single quotes.
mustache (ruby): uses CGI. CGI doesn't escape single quotes in Ruby 1.9.x, but does in Ruby 2.0.
pystache: Single quotes escaped as of Python 3.2.
mustache.go: Escapes single quotes (as '!).

[bobthecow]

While I agree with the principle, this is something that should be taken up with the Mustache spec. Until and unless that is changed, escaping single quotes would actually make Mustache.php not spec compliant.

In the meantime, it's possible to use a custom escaper to escape however you want. I would also be cool with adding an engine-level configuration option to override the flags, analogous to the $charset option already provided.

[pinterface]

I've opened mustache/spec#69, so we'll see where that goes.

I'm already using the custom escaper as a workaround, but I'll take a
look at tackling the configuration option idea.

[bobthecow]

This has been released in v2.4.0. Thanks!