Following the algorithms of these methods in the current ES6 draft:
However, this would be a better result:
The problem here is " doesn’t escape into " at the moment, which is a potential security risk (XSS vector).
For this reason, Chrome/V8 escapes " into ". Firefox/Spidermonkey is going to change its behavior to do the same: https://bugzilla.mozilla.org/show_bug.cgi?id=352437 Opera/Carakan will change its behavior too, as soon as other browsers change (bug DSK-369206). The IE bug is here: https://connect.microsoft.com/IE/feedback/details/752391
Here’s a list of the methods that have this issue:
*** This bug has been marked as a duplicate of bug 406 ***