parshap
html-escape
Escape a string to be safe for use in html. &, <, ', and "
characters are replaced with with their named character references:
&, <, ', and ". Escaped strings will be safe
for use in the following contexts:
- RCDATA and DATA (content of all elements except for
<script>and<style>) - Single-quoted attribute values
' - Double-quoted attribute values
"
Example
var escape = require("html-escape");
var xssAttempt = "Hello <script>while(1);</script> world!";
// Output safe html
console.log("<p>" + escape(xssAttempt) + "</p>");
// "<p>Hello <script>while(1);</script> world!</p>"Installation
npm install html-escape