Escape a string to be safe for use in html.
characters are replaced with with their named character references:
". Escaped strings will be safe
for use in the following contexts:
- RCDATA and DATA (content of all elements except for
- Single-quoted attribute values
- Double-quoted attribute values
var escape = require("html-escape"); var xssAttempt = "Hello <script>while(1);</script> world!"; // Output safe html console.log("<p>" + escape(xssAttempt) + "</p>"); // "<p>Hello <script>while(1);</script> world!</p>"
npm install html-escape