html-escape (original) (raw)

html-escape

Escape a string to be safe for use in html. &, <, ', and "characters are replaced with with their named character references:&, <, ', and ". Escaped strings will be safe for use in the following contexts:

• RCDATA and DATA (content of all elements except for<script> and <style>)
• Single-quoted attribute values '
• Double-quoted attribute values "

Example

var escape = require("html-escape");

var xssAttempt = "Hello  world!";

// Output safe html

console.log("

" + escape(xssAttempt) + "

// "

Hello <script>while(1);</script> world!

Installation

npm install html-escape