fixed default encode/decode levels based on @fb55's comment on #71

lib/api/utils.js

@@ -35,7 +35,8 @@ _.each(types.split(' '), function(name) {
 var tags = { tag : true, script : true, style : true };
 
 // Expose encode and decode methods from FB55's node-entities library
-var encode = exports.encode = function(str) { return entities.encode(str, 2); };
+// 0 = XML, 1 = HTML4 and 2 = HTML5
+var encode = exports.encode = function(str) { return entities.encode(str, 0); };
 var decode = exports.decode = function(str) { return entities.decode(str, 2); };
 
 /*

test/api.attributes.js

@@ -46,7 +46,7 @@ describe('$(...)', function() {
     it('(key, value) : should correctly encode then decode unsafe values', function() {
       var $apple = $('.apple', fruits);
       $apple.attr('href', 'http://github.com/"><script>alert("XSS!")</script><br');
-      expect($apple.get(0).attribs.href).to.equal('http&colon;&sol;&sol;github&period;com&sol;&quot;&gt;&lt;script&gt;alert&lpar;&quot;XSS&excl;&quot;&rpar;&lt;&sol;script&gt;&lt;br');
+      expect($apple.get(0).attribs.href).to.equal('http://github.com/&quot;&gt;&lt;script&gt;alert(&quot;XSS!&quot;)&lt;/script&gt;&lt;br');
       expect($apple.attr('href')).to.equal('http://github.com/"><script>alert("XSS!")</script><br');
 
       $apple.attr('href', 'http://github.com/"><script>alert("XSS!")</script><br');

test/api.manipulation.js

@@ -284,7 +284,7 @@ describe('$(...)', function() {
       var $apple = $('.apple', fruits);
 
       $apple.text('blah <script>alert("XSS!")</script> blah');
-      expect($apple.get(0).children[0].data).to.equal('blah &lt;script&gt;alert&lpar;&quot;XSS&excl;&quot;&rpar;&lt;&sol;script&gt; blah');
+      expect($apple.get(0).children[0].data).to.equal('blah &lt;script&gt;alert(&quot;XSS!&quot;)&lt;/script&gt; blah');
       expect($apple.text()).to.equal('blah <script>alert("XSS!")</script> blah');
 
       $apple.text('blah <script>alert("XSS!")</script> blah');