Skip to content

&🐐; Escape a string for use in HTML or the inverse

License

Notifications You must be signed in to change notification settings

sindresorhus/escape-goat

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

31 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

escape-goat

Escape a string for use in HTML or the inverse

Install

$ npm install escape-goat

Usage

import {htmlEscape, htmlUnescape} from 'escape-goat';

htmlEscape('πŸ¦„ & 🐐');
//=> 'πŸ¦„ & 🐐'

htmlUnescape('πŸ¦„ & 🐐');
//=> 'πŸ¦„ & 🐐'

htmlEscape('Hello <em>World</em>');
//=> 'Hello &lt;em&gt;World&lt;/em&gt;'

const url = 'https://sindresorhus.com?x="πŸ¦„"';

htmlEscape`<a href="${url}">Unicorn</a>`;
//=> '<a href="https://sindresorhus.com?x=&quot;πŸ¦„&quot;">Unicorn</a>'

const escapedUrl = 'https://sindresorhus.com?x=&quot;πŸ¦„&quot;';

htmlUnescape`URL from HTML: ${escapedUrl}`;
//=> 'URL from HTML: https://sindresorhus.com?x="πŸ¦„"'

API

htmlEscape(string)

Escapes the following characters in the given string argument: & < > " '

The function also works as a tagged template literal that escapes interpolated values.

Note: This method of escaping is only safe when inserting data into normal tags like body, div, p, b, td, etc. Inserting htmlEscape'd data into tags like script and style opens your app to XSS vulnerabilities.

htmlUnescape(htmlString)

Unescapes the following HTML entities in the given htmlString argument: &amp; &lt; &gt; &quot; &#39;

The function also works as a tagged template literal that unescapes interpolated values.

Tip

Ensure you always quote your HTML attributes to prevent possible XSS.

FAQ

Why yet another HTML escaping package?

I couldn't find one I liked that was tiny, well-tested, and had both escape and unescape methods.