html-escape
Escape a string to be safe for use in html. &
, <
, '
, and "
characters are replaced with with their named character references:
&
, <
, '
, and "
. Escaped strings will be safe
for use in the following contexts:
- RCDATA and DATA (content of all elements except for
<script>
and<style>
) - Single-quoted attribute values
'
- Double-quoted attribute values
"
Example
var escape = ;var xssAttempt = "Hello <script>while(1);</script> world!";// Output safe htmlconsole;// "<p>Hello <script>while(1);</script> world!</p>"
Installation
npm install html-escape