Skip to main content

Function: escapeHtml()

Call Signature

escapeHtml(str, options?): string

Defined in: string/sanitize/index.ts:78

Escapes HTML special characters.

Converts characters that have special meaning in HTML to their entity equivalents:

  • & → &
  • < → <

  • → >

  • " → "
  • ' → ' (if escapeSingleQuote is true)

Parameters

str

string

The string to escape

options?

EscapeHtmlOptions

Escape options

Returns

string

The escaped string safe for HTML

Example

// Data-first
escapeHtml('<script>alert("XSS")</script>')
// => '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'

escapeHtml("It's a test", { escapeSingleQuote: true })
// => 'It&#x27;s a test'

// Data-last (in pipe)
pipe(
  userInput,
  escapeHtml({ escapeSingleQuote: true })
)

// Use in user-generated content
const safeComment = escapeHtml(userComment)

See

  • stripHtml - to remove HTML tags entirely
  • unescapeHtml - to decode HTML entities

Call Signature

escapeHtml(options): (str) => string

Defined in: string/sanitize/index.ts:79

Escapes HTML special characters.

Converts characters that have special meaning in HTML to their entity equivalents:

  • & → &
  • < → <

  • → >

  • " → "
  • ' → ' (if escapeSingleQuote is true)

Parameters

options

EscapeHtmlOptions

Escape options

Returns

The escaped string safe for HTML

(str): string

Parameters

str

string

Returns

string

Example

// Data-first
escapeHtml('<script>alert("XSS")</script>')
// => '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'

escapeHtml("It's a test", { escapeSingleQuote: true })
// => 'It&#x27;s a test'

// Data-last (in pipe)
pipe(
  userInput,
  escapeHtml({ escapeSingleQuote: true })
)

// Use in user-generated content
const safeComment = escapeHtml(userComment)

See

  • stripHtml - to remove HTML tags entirely
  • unescapeHtml - to decode HTML entities