From c197ccf31c230f625d7ae4564aa213705727540f Mon Sep 17 00:00:00 2001
From: Jack McCracken <jack.mccracken@shopify.com>
Date: Mon, 30 Sep 2019 16:47:30 -0400
Subject: [PATCH] Escape / and < also so apps cannot be broken by browsers
 trying to 'correct' the HTML

---
 lib/hypernova/blank_renderer.rb | 2 +-
 spec/blank_renderer_spec.rb     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/hypernova/blank_renderer.rb b/lib/hypernova/blank_renderer.rb
index 59ae67d..d230baa 100644
--- a/lib/hypernova/blank_renderer.rb
+++ b/lib/hypernova/blank_renderer.rb
@@ -21,7 +21,7 @@ def data
   end
 
   def encode
-    JSON.generate(data).gsub(/&/, '&amp;').gsub(/>/, '&gt;')
+    JSON.generate(data).gsub(/&/, '&amp;').gsub(/>/, '&gt;').gsub(/</, '&lt;').gsub(/\//, '&#47;')
   end
 
   def key
diff --git a/spec/blank_renderer_spec.rb b/spec/blank_renderer_spec.rb
index c5b6255..ce2cb14 100644
--- a/spec/blank_renderer_spec.rb
+++ b/spec/blank_renderer_spec.rb
@@ -38,7 +38,7 @@
         }
       }).send(:encode)
 
-      expect(str).to match(/<\/script&gt;/)
+      expect(str).to match(/&lt;&#47;script&gt;/)
       expect(str).to match(/&amp;gt;/)
       expect(str).to match(/&amp;amp;/)
     end