Escape HTML from nodeValue

[walruscow]

Tip: add ?w=0 to the diff to ignore whitespace (I removed trailing whitespace).

Added new functions to escape/unescape HTML entities &, ", ', <, >.

Page with example of previous behaviour (put in base directory to run).

<html>
  <head><title>Hello World</title></head>
  <body>
    <p id="test">Hello &lt;script&gt;alert('hi');&lt;/script&gt; World</p>
    <script src="shared/jquery-1.4.1.js"></script>
    <script src="jquery.ba-replacetext.js"></script>
    <script>
      $('#test').replaceText(/Hello/, '<span>Hello</span>');
    </script>
  </body>
</html>

Notice that with the original code, an alert is received, and the <script>alert('hi');</script> text disappears. With the new code, it remains, and no alert is received.

I'm no jQuery hacker or anything, but some code I'm working on was using this library and I finally traced the bug down to this plugin. We're using underscore so this was a much more minor change when I made it for us. Thought I'd push it back to you in case you want it.

[cburschka]

Ouch! Just ran into this bug yesterday on (cburschka/cadence#192) and had to add an emergency workaround. I suppose I'll switch to your fork in the next version.