implement triples in SSR compiler, and escape HTML for regular tags

src/server-side-rendering/compile.js

@@ -219,6 +219,11 @@ export default function compile ( parsed, source, { filename }) {
 		},
 
 		MustacheTag ( node ) {
+			const { snippet } = contextualise( node.expression ); // TODO use snippet, for sourcemap support
+			return '${__escape( String( ' + snippet + ') )}';
+		},
+
+		RawMustacheTag ( node ) {
 			const { snippet } = contextualise( node.expression ); // TODO use snippet, for sourcemap support
 			return '${' + snippet + '}';
 		},
@@ -381,6 +386,18 @@ export default function compile ( parsed, source, { filename }) {
 		exports.renderCss = function () {
 			${renderCssStatements.join( '\n\n' )}
 		};
+
+		var escaped = {
+			'"': '"',
+			"'": '&39;',
+			'&': '&',
+			'<': '&lt;',
+			'>': '&gt;'
+		};
+
+		function __escape ( html ) {
+			return html.replace( /["'&<>]/g, match => escaped[ match ] );
+		}
 	` );
 
 	const rendered = topLevelStatements.join( '\n\n' );

test/server-side-rendering/dynamic-text-escaped/_actual.html

@@ -0,0 +1 @@
+<p>this should be <em>escaped</em> & so should &39;this&39;</p>

test/server-side-rendering/dynamic-text-escaped/_expected.html

@@ -0,0 +1 @@
+<p>this should be <em>escaped</em> & so should &39;this&39;</p>

test/server-side-rendering/dynamic-text-escaped/data.json

@@ -0,0 +1,3 @@
+{
+	"foo": "<p>this should be <em>escaped</em> & so should 'this'</p>"
+}

test/server-side-rendering/dynamic-text-escaped/main.html

@@ -0,0 +1 @@
+{{foo}}

test/server-side-rendering/triple/_actual.html

@@ -0,0 +1 @@
+<div><p>html</p></div>

test/server-side-rendering/triple/_expected.html

@@ -0,0 +1 @@
+<div><p>html</p></div>

test/server-side-rendering/triple/main.html

@@ -0,0 +1,11 @@
+<div>{{{triple}}}</div>
+
+<script>
+	export default {
+		data () {
+			return {
+				triple: '<p>html</p>'
+			};
+		}
+	};
+</script>