Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<h1>
<img src="logo.jpg" width="1280" alt="escape-goat">
</h1>
> Escape a string for use in HTML or the inverse
[](https://travis-ci.org/sindresorhus/escape-goat)
## Install
```
$ npm install escape-goat
```
## Usage
```js
const {htmlEscape, htmlUnescape, htmlEscapeTag, htmlUnescapeTag} = require('escape-goat');
htmlEscape('🦄 & 🐐');
//=> '🦄 & 🐐'
htmlUnescape('🦄 & 🐐');
//=> '🦄 & 🐐'
htmlEscape('Hello <em>World</em>');
//=> 'Hello <em>World</em>'
const url = 'https://sindresorhus.com?x="🦄"';
htmlEscapeTag`<a href="${url}">Unicorn</a>`;
//=> '<a href="https://sindresorhus.com?x="🦄"">Unicorn</a>'
const escapedUrl = 'https://sindresorhus.com?x="🦄"';
htmlUnescapeTag`URL from HTML: ${url}`;
//=> 'URL from HTML: https://sindresorhus.com?x="🦄"'
```
## API
### htmlEscape(string)
Escapes the following characters in the given `string` argument: `&` `<` `>` `"` `'`
### htmlUnescape(htmlString)
Unescapes the following HTML entities in the given `htmlString` argument: `&` `<` `>` `"` `'`
### htmlEscapeTag
[Tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals) that escapes interpolated values.
### htmlUnescapeTag
[Tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals) that unescapes interpolated values.
## Tip
Ensure you always quote your HTML attributes to prevent possible [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting).
## FAQ
### Why yet another HTML escaping package?
I couldn't find one I liked that was tiny, well-tested, and had both `.escape()` and `.unescape()`.
## License
MIT © [Sindre Sorhus](https://sindresorhus.com)