or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

index.md
tile.json

index.mddocs/

Escape HTML

Escape HTML is a lightweight JavaScript utility library for escaping special HTML characters in strings to prevent XSS attacks and ensure safe HTML output. It focuses on high-performance string processing to escape five critical HTML characters and is designed for maximum reusability across web applications.

Package Information

  • Package Name: escape-html
  • Package Type: npm
  • Language: JavaScript
  • Installation: npm install escape-html
  • License: MIT

Core Imports

const escapeHtml = require('escape-html');

For component.js (legacy support):

var escapeHtml = require('escape-html');

Basic Usage

const escapeHtml = require('escape-html');

// Escape special HTML characters
const userInput = 'Hello <script>alert("XSS")</script> & "quotes"';
const safeHtml = escapeHtml(userInput);
console.log(safeHtml);
// Output: Hello &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt; &amp; &quot;quotes&quot;

// Works with any input type (coerced to string)
const numericInput = escapeHtml(123);
console.log(numericInput); // "123"

// Handles undefined and null
const emptyInput = escapeHtml(null);
console.log(emptyInput); // "null"

Capabilities

HTML Character Escaping

Escapes special characters in the given string for safe insertion into HTML content.

/**
 * Escape special characters in the given string of html.
 * 
 * @param {any} string - The input value to escape for HTML (will be coerced to string)
 * @returns {string} The escaped HTML string
 */
function escapeHtml(string);

Escaped Characters:

  • " (double quote) → &quot;
  • & (ampersand) → &amp;
  • ' (single quote) → &#39;
  • < (less-than) → &lt;
  • > (greater-than) → &gt;

Performance Characteristics:

  • Optimized for performance with early detection of escapable characters
  • Returns original string unchanged if no special characters are found
  • Uses efficient character code comparison for escape logic

Usage Examples:

const escapeHtml = require('escape-html');

// Basic HTML escaping
const userComment = 'I love <strong>bold</strong> text & "quotes"!';
const safeComment = escapeHtml(userComment);
// Result: I love &lt;strong&gt;bold&lt;/strong&gt; text &amp; &quot;quotes&quot;!

// Template integration
function renderTemplate(data) {
  return `<div class="comment">${escapeHtml(data.userInput)}</div>`;
}

// Safe attribute values
const title = 'Product "A" & Company\'s <special> item';
const safeTitle = escapeHtml(title);
// Use in: <img alt="${safeTitle}" />

// Type coercion examples
escapeHtml(42);          // "42"
escapeHtml(true);        // "true"
escapeHtml(undefined);   // "undefined"
escapeHtml({ a: 1 });    // "[object Object]"

Common Use Cases:

  • Preventing XSS attacks in user-generated content
  • Safe insertion of dynamic data into HTML templates
  • Escaping data for HTML attributes
  • Server-side rendering of user content
  • Template engine integration
  • API response sanitization