CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-escape-html

Escape string for use in HTML to prevent XSS attacks

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

Escape HTML

Escape HTML is a lightweight JavaScript utility library for escaping special HTML characters in strings to prevent XSS attacks and ensure safe HTML output. It focuses on high-performance string processing to escape five critical HTML characters and is designed for maximum reusability across web applications.

Package Information

  • Package Name: escape-html
  • Package Type: npm
  • Language: JavaScript
  • Installation: npm install escape-html
  • License: MIT

Core Imports

const escapeHtml = require('escape-html');

For component.js (legacy support):

var escapeHtml = require('escape-html');

Basic Usage

const escapeHtml = require('escape-html');

// Escape special HTML characters
const userInput = 'Hello <script>alert("XSS")</script> & "quotes"';
const safeHtml = escapeHtml(userInput);
console.log(safeHtml);
// Output: Hello &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt; &amp; &quot;quotes&quot;

// Works with any input type (coerced to string)
const numericInput = escapeHtml(123);
console.log(numericInput); // "123"

// Handles undefined and null
const emptyInput = escapeHtml(null);
console.log(emptyInput); // "null"

Capabilities

HTML Character Escaping

Escapes special characters in the given string for safe insertion into HTML content.

/**
 * Escape special characters in the given string of html.
 * 
 * @param {any} string - The input value to escape for HTML (will be coerced to string)
 * @returns {string} The escaped HTML string
 */
function escapeHtml(string);

Escaped Characters:

  • " (double quote) → &quot;
  • & (ampersand) → &amp;
  • ' (single quote) → &#39;
  • < (less-than) → &lt;
  • > (greater-than) → &gt;

Performance Characteristics:

  • Optimized for performance with early detection of escapable characters
  • Returns original string unchanged if no special characters are found
  • Uses efficient character code comparison for escape logic

Usage Examples:

const escapeHtml = require('escape-html');

// Basic HTML escaping
const userComment = 'I love <strong>bold</strong> text & "quotes"!';
const safeComment = escapeHtml(userComment);
// Result: I love &lt;strong&gt;bold&lt;/strong&gt; text &amp; &quot;quotes&quot;!

// Template integration
function renderTemplate(data) {
  return `<div class="comment">${escapeHtml(data.userInput)}</div>`;
}

// Safe attribute values
const title = 'Product "A" & Company\'s <special> item';
const safeTitle = escapeHtml(title);
// Use in: <img alt="${safeTitle}" />

// Type coercion examples
escapeHtml(42);          // "42"
escapeHtml(true);        // "true"
escapeHtml(undefined);   // "undefined"
escapeHtml({ a: 1 });    // "[object Object]"

Common Use Cases:

  • Preventing XSS attacks in user-generated content
  • Safe insertion of dynamic data into HTML templates
  • Escaping data for HTML attributes
  • Server-side rendering of user content
  • Template engine integration
  • API response sanitization

Install with Tessl CLI

npx tessl i tessl/npm-escape-html
Workspace
tessl
Visibility
Public
Created
Last updated
Describes
npmpkg:npm/escape-html@1.0.x
Publish Source
CLI
Badge
tessl/npm-escape-html badge