{"id":13447309,"url":"https://github.com/mathiasbynens/he","last_synced_at":"2025-05-13T00:21:45.490Z","repository":{"id":9139750,"uuid":"10930707","full_name":"mathiasbynens/he","owner":"mathiasbynens","description":"A robust HTML entity encoder/decoder written in JavaScript.","archived":false,"fork":false,"pushed_at":"2021-12-29T22:20:03.000Z","size":653,"stargazers_count":3493,"open_issues_count":24,"forks_count":259,"subscribers_count":61,"default_branch":"master","last_synced_at":"2025-04-22T06:48:53.993Z","etag":null,"topics":["decode","decoder","encode","encoder","html-entities","javascript"],"latest_commit_sha":null,"homepage":"https://mths.be/he","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mathiasbynens.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-MIT.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-06-25T06:54:45.000Z","updated_at":"2025-04-20T03:26:14.000Z","dependencies_parsed_at":"2022-07-12T15:03:22.738Z","dependency_job_id":null,"html_url":"https://github.com/mathiasbynens/he","commit_stats":null,"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathiasbynens%2Fhe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathiasbynens%2Fhe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathiasbynens%2Fhe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathiasbynens%2Fhe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mathiasbynens","download_url":"https://codeload.github.com/mathiasbynens/he/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250493192,"owners_count":21439697,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["decode","decoder","encode","encoder","html-entities","javascript"],"created_at":"2024-07-31T05:01:13.500Z","updated_at":"2025-04-23T18:41:42.173Z","avatar_url":"https://github.com/mathiasbynens.png","language":"JavaScript","readme":"# he [![Build status](https://travis-ci.org/mathiasbynens/he.svg?branch=master)](https://travis-ci.org/mathiasbynens/he) [![Code coverage status](https://codecov.io/github/mathiasbynens/he/coverage.svg?branch=master)](https://codecov.io/github/mathiasbynens/he?branch=master) [![Dependency status](https://gemnasium.com/mathiasbynens/he.svg)](https://gemnasium.com/mathiasbynens/he)\n\n_he_ (for “HTML entities”) is a robust HTML entity encoder/decoder written in JavaScript. It supports [all standardized named character references as per HTML](https://html.spec.whatwg.org/multipage/syntax.html#named-character-references), handles [ambiguous ampersands](https://mathiasbynens.be/notes/ambiguous-ampersands) and other edge cases [just like a browser would](https://html.spec.whatwg.org/multipage/syntax.html#tokenizing-character-references), has an extensive test suite, and — contrary to many other JavaScript solutions — _he_ handles astral Unicode symbols just fine. [An online demo is available.](https://mothereff.in/html-entities)\n\n## Installation\n\nVia [npm](https://www.npmjs.com/):\n\n```bash\nnpm install he\n```\n\nVia [Bower](http://bower.io/):\n\n```bash\nbower install he\n```\n\nVia [Component](https://github.com/component/component):\n\n```bash\ncomponent install mathiasbynens/he\n```\n\nIn a browser:\n\n```html\n\u003cscript src=\"he.js\"\u003e\u003c/script\u003e\n```\n\nIn [Node.js](https://nodejs.org/), [io.js](https://iojs.org/), [Narwhal](http://narwhaljs.org/), and [RingoJS](http://ringojs.org/):\n\n```js\nvar he = require('he');\n```\n\nIn [Rhino](http://www.mozilla.org/rhino/):\n\n```js\nload('he.js');\n```\n\nUsing an AMD loader like [RequireJS](http://requirejs.org/):\n\n```js\nrequire(\n  {\n    'paths': {\n      'he': 'path/to/he'\n    }\n  },\n  ['he'],\n  function(he) {\n    console.log(he);\n  }\n);\n```\n\n## API\n\n### `he.version`\n\nA string representing the semantic version number.\n\n### `he.encode(text, options)`\n\nThis function takes a string of text and encodes (by default) any symbols that aren’t printable ASCII symbols and `\u0026`, `\u003c`, `\u003e`, `\"`, `'`, and `` ` ``, replacing them with character references.\n\n```js\nhe.encode('foo © bar ≠ baz 𝌆 qux');\n// → 'foo \u0026#xA9; bar \u0026#x2260; baz \u0026#x1D306; qux'\n```\n\nAs long as the input string contains [allowed code points](https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream) only, the return value of this function is always valid HTML. Any [(invalid) code points that cannot be represented using a character reference](https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrides) in the input are not encoded:\n\n```js\nhe.encode('foo \\0 bar');\n// → 'foo \\0 bar'\n```\n\nHowever, enabling [the `strict` option](https://github.com/mathiasbynens/he#strict) causes invalid code points to throw an exception. With `strict` enabled, `he.encode` either throws (if the input contains invalid code points) or returns a string of valid HTML.\n\nThe `options` object is optional. It recognizes the following properties:\n\n#### `useNamedReferences`\n\nThe default value for the `useNamedReferences` option is `false`. This means that `encode()` will not use any named character references (e.g. `\u0026copy;`) in the output — hexadecimal escapes (e.g. `\u0026#xA9;`) will be used instead. Set it to `true` to enable the use of named references.\n\n**Note that if compatibility with older browsers is a concern, this option should remain disabled.**\n\n```js\n// Using the global default setting (defaults to `false`):\nhe.encode('foo © bar ≠ baz 𝌆 qux');\n// → 'foo \u0026#xA9; bar \u0026#x2260; baz \u0026#x1D306; qux'\n\n// Passing an `options` object to `encode`, to explicitly disallow named references:\nhe.encode('foo © bar ≠ baz 𝌆 qux', {\n  'useNamedReferences': false\n});\n// → 'foo \u0026#xA9; bar \u0026#x2260; baz \u0026#x1D306; qux'\n\n// Passing an `options` object to `encode`, to explicitly allow named references:\nhe.encode('foo © bar ≠ baz 𝌆 qux', {\n  'useNamedReferences': true\n});\n// → 'foo \u0026copy; bar \u0026ne; baz \u0026#x1D306; qux'\n```\n\n#### `decimal`\n\nThe default value for the `decimal` option is `false`. If the option is enabled, `encode` will generally use decimal escapes (e.g. `\u0026#169;`) rather than hexadecimal escapes (e.g. `\u0026#xA9;`). Beside of this replacement, the basic behavior remains the same when combined with other options. For example: if both options `useNamedReferences` and `decimal` are enabled, named references (e.g. `\u0026copy;`) are used over decimal escapes. HTML entities without a named reference are encoded using decimal escapes.\n\n```js\n// Using the global default setting (defaults to `false`):\nhe.encode('foo © bar ≠ baz 𝌆 qux');\n// → 'foo \u0026#xA9; bar \u0026#x2260; baz \u0026#x1D306; qux'\n\n// Passing an `options` object to `encode`, to explicitly disable decimal escapes:\nhe.encode('foo © bar ≠ baz 𝌆 qux', {\n  'decimal': false\n});\n// → 'foo \u0026#xA9; bar \u0026#x2260; baz \u0026#x1D306; qux'\n\n// Passing an `options` object to `encode`, to explicitly enable decimal escapes:\nhe.encode('foo © bar ≠ baz 𝌆 qux', {\n  'decimal': true\n});\n// → 'foo \u0026#169; bar \u0026#8800; baz \u0026#119558; qux'\n\n// Passing an `options` object to `encode`, to explicitly allow named references and decimal escapes:\nhe.encode('foo © bar ≠ baz 𝌆 qux', {\n  'useNamedReferences': true,\n  'decimal': true\n});\n// → 'foo \u0026copy; bar \u0026ne; baz \u0026#119558; qux'\n```\n\n#### `encodeEverything`\n\nThe default value for the `encodeEverything` option is `false`. This means that `encode()` will not use any character references for printable ASCII symbols that don’t need escaping. Set it to `true` to encode every symbol in the input string. When set to `true`, this option takes precedence over `allowUnsafeSymbols` (i.e. setting the latter to `true` in such a case has no effect).\n\n```js\n// Using the global default setting (defaults to `false`):\nhe.encode('foo © bar ≠ baz 𝌆 qux');\n// → 'foo \u0026#xA9; bar \u0026#x2260; baz \u0026#x1D306; qux'\n\n// Passing an `options` object to `encode`, to explicitly encode all symbols:\nhe.encode('foo © bar ≠ baz 𝌆 qux', {\n  'encodeEverything': true\n});\n// → '\u0026#x66;\u0026#x6F;\u0026#x6F;\u0026#x20;\u0026#xA9;\u0026#x20;\u0026#x62;\u0026#x61;\u0026#x72;\u0026#x20;\u0026#x2260;\u0026#x20;\u0026#x62;\u0026#x61;\u0026#x7A;\u0026#x20;\u0026#x1D306;\u0026#x20;\u0026#x71;\u0026#x75;\u0026#x78;'\n\n// This setting can be combined with the `useNamedReferences` option:\nhe.encode('foo © bar ≠ baz 𝌆 qux', {\n  'encodeEverything': true,\n  'useNamedReferences': true\n});\n// → '\u0026#x66;\u0026#x6F;\u0026#x6F;\u0026#x20;\u0026copy;\u0026#x20;\u0026#x62;\u0026#x61;\u0026#x72;\u0026#x20;\u0026ne;\u0026#x20;\u0026#x62;\u0026#x61;\u0026#x7A;\u0026#x20;\u0026#x1D306;\u0026#x20;\u0026#x71;\u0026#x75;\u0026#x78;'\n```\n\n#### `strict`\n\nThe default value for the `strict` option is `false`. This means that `encode()` will encode any HTML text content you feed it, even if it contains any symbols that cause [parse errors](https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream). To throw an error when such invalid HTML is encountered, set the `strict` option to `true`. This option makes it possible to use _he_ as part of HTML parsers and HTML validators.\n\n```js\n// Using the global default setting (defaults to `false`, i.e. error-tolerant mode):\nhe.encode('\\x01');\n// → '\u0026#x1;'\n\n// Passing an `options` object to `encode`, to explicitly enable error-tolerant mode:\nhe.encode('\\x01', {\n  'strict': false\n});\n// → '\u0026#x1;'\n\n// Passing an `options` object to `encode`, to explicitly enable strict mode:\nhe.encode('\\x01', {\n  'strict': true\n});\n// → Parse error\n```\n\n#### `allowUnsafeSymbols`\n\nThe default value for the `allowUnsafeSymbols` option is `false`. This means that characters that are unsafe for use in HTML content (`\u0026`, `\u003c`, `\u003e`, `\"`, `'`, and `` ` ``) will be encoded. When set to `true`, only non-ASCII characters will be encoded. If the `encodeEverything` option is set to `true`, this option will be ignored.\n\n```js\nhe.encode('foo © and \u0026 ampersand', {\n  'allowUnsafeSymbols': true\n});\n// → 'foo \u0026#xA9; and \u0026 ampersand'\n```\n\n#### Overriding default `encode` options globally\n\nThe global default setting can be overridden by modifying the `he.encode.options` object. This saves you from passing in an `options` object for every call to `encode` if you want to use the non-default setting.\n\n```js\n// Read the global default setting:\nhe.encode.options.useNamedReferences;\n// → `false` by default\n\n// Override the global default setting:\nhe.encode.options.useNamedReferences = true;\n\n// Using the global default setting, which is now `true`:\nhe.encode('foo © bar ≠ baz 𝌆 qux');\n// → 'foo \u0026copy; bar \u0026ne; baz \u0026#x1D306; qux'\n```\n\n### `he.decode(html, options)`\n\nThis function takes a string of HTML and decodes any named and numerical character references in it using [the algorithm described in section 12.2.4.69 of the HTML spec](https://html.spec.whatwg.org/multipage/syntax.html#tokenizing-character-references).\n\n```js\nhe.decode('foo \u0026copy; bar \u0026ne; baz \u0026#x1D306; qux');\n// → 'foo © bar ≠ baz 𝌆 qux'\n```\n\nThe `options` object is optional. It recognizes the following properties:\n\n#### `isAttributeValue`\n\nThe default value for the `isAttributeValue` option is `false`. This means that `decode()` will decode the string as if it were used in [a text context in an HTML document](https://html.spec.whatwg.org/multipage/syntax.html#data-state). HTML has different rules for [parsing character references in attribute values](https://html.spec.whatwg.org/multipage/syntax.html#character-reference-in-attribute-value-state) — set this option to `true` to treat the input string as if it were used as an attribute value.\n\n```js\n// Using the global default setting (defaults to `false`, i.e. HTML text context):\nhe.decode('foo\u0026ampbar');\n// → 'foo\u0026bar'\n\n// Passing an `options` object to `decode`, to explicitly assume an HTML text context:\nhe.decode('foo\u0026ampbar', {\n  'isAttributeValue': false\n});\n// → 'foo\u0026bar'\n\n// Passing an `options` object to `decode`, to explicitly assume an HTML attribute value context:\nhe.decode('foo\u0026ampbar', {\n  'isAttributeValue': true\n});\n// → 'foo\u0026ampbar'\n```\n\n#### `strict`\n\nThe default value for the `strict` option is `false`. This means that `decode()` will decode any HTML text content you feed it, even if it contains any entities that cause [parse errors](https://html.spec.whatwg.org/multipage/syntax.html#tokenizing-character-references). To throw an error when such invalid HTML is encountered, set the `strict` option to `true`. This option makes it possible to use _he_ as part of HTML parsers and HTML validators.\n\n```js\n// Using the global default setting (defaults to `false`, i.e. error-tolerant mode):\nhe.decode('foo\u0026ampbar');\n// → 'foo\u0026bar'\n\n// Passing an `options` object to `decode`, to explicitly enable error-tolerant mode:\nhe.decode('foo\u0026ampbar', {\n  'strict': false\n});\n// → 'foo\u0026bar'\n\n// Passing an `options` object to `decode`, to explicitly enable strict mode:\nhe.decode('foo\u0026ampbar', {\n  'strict': true\n});\n// → Parse error\n```\n\n#### Overriding default `decode` options globally\n\nThe global default settings for the `decode` function can be overridden by modifying the `he.decode.options` object. This saves you from passing in an `options` object for every call to `decode` if you want to use a non-default setting.\n\n```js\n// Read the global default setting:\nhe.decode.options.isAttributeValue;\n// → `false` by default\n\n// Override the global default setting:\nhe.decode.options.isAttributeValue = true;\n\n// Using the global default setting, which is now `true`:\nhe.decode('foo\u0026ampbar');\n// → 'foo\u0026ampbar'\n```\n\n### `he.escape(text)`\n\nThis function takes a string of text and escapes it for use in text contexts in XML or HTML documents. Only the following characters are escaped: `\u0026`, `\u003c`, `\u003e`, `\"`, `'`, and `` ` ``.\n\n```js\nhe.escape('\u003cimg src=\\'x\\' onerror=\"prompt(1)\"\u003e');\n// → '\u0026lt;img src=\u0026#x27;x\u0026#x27; onerror=\u0026quot;prompt(1)\u0026quot;\u0026gt;'\n```\n\n### `he.unescape(html, options)`\n\n`he.unescape` is an alias for `he.decode`. It takes a string of HTML and decodes any named and numerical character references in it.\n\n### Using the `he` binary\n\nTo use the `he` binary in your shell, simply install _he_ globally using npm:\n\n```bash\nnpm install -g he\n```\n\nAfter that you will be able to encode/decode HTML entities from the command line:\n\n```bash\n$ he --encode 'föo ♥ bår 𝌆 baz'\nf\u0026#xF6;o \u0026#x2665; b\u0026#xE5;r \u0026#x1D306; baz\n\n$ he --encode --use-named-refs 'föo ♥ bår 𝌆 baz'\nf\u0026ouml;o \u0026hearts; b\u0026aring;r \u0026#x1D306; baz\n\n$ he --decode 'f\u0026ouml;o \u0026hearts; b\u0026aring;r \u0026#x1D306; baz'\nföo ♥ bår 𝌆 baz\n```\n\nRead a local text file, encode it for use in an HTML text context, and save the result to a new file:\n\n```bash\n$ he --encode \u003c foo.txt \u003e foo-escaped.html\n```\n\nOr do the same with an online text file:\n\n```bash\n$ curl -sL \"http://git.io/HnfEaw\" | he --encode \u003e escaped.html\n```\n\nOr, the opposite — read a local file containing a snippet of HTML in a text context, decode it back to plain text, and save the result to a new file:\n\n```bash\n$ he --decode \u003c foo-escaped.html \u003e foo.txt\n```\n\nOr do the same with an online HTML snippet:\n\n```bash\n$ curl -sL \"http://git.io/HnfEaw\" | he --decode \u003e decoded.txt\n```\n\nSee `he --help` for the full list of options.\n\n## Support\n\n_he_ has been tested in at least:\n\n* Chrome 27-50\n* Firefox 3-45\n* Safari 4-9\n* Opera 10-12, 15–37\n* IE 6–11\n* Edge\n* Narwhal 0.3.2\n* Node.js v0.10, v0.12, v4, v5\n* PhantomJS 1.9.0\n* Rhino 1.7RC4\n* RingoJS 0.8-0.11\n\n## Unit tests \u0026 code coverage\n\nAfter cloning this repository, run `npm install` to install the dependencies needed for he development and testing. You may want to install Istanbul _globally_ using `npm install istanbul -g`.\n\nOnce that’s done, you can run the unit tests in Node using `npm test` or `node tests/tests.js`. To run the tests in Rhino, Ringo, Narwhal, and web browsers as well, use `grunt test`.\n\nTo generate the code coverage report, use `grunt cover`.\n\n## Acknowledgements\n\nThanks to [Simon Pieters](https://simon.html5.org/) ([@zcorpan](https://twitter.com/zcorpan)) for the many suggestions.\n\n## Author\n\n| [![twitter/mathias](https://gravatar.com/avatar/24e08a9ea84deb17ae121074d0f17125?s=70)](https://twitter.com/mathias \"Follow @mathias on Twitter\") |\n|---|\n| [Mathias Bynens](https://mathiasbynens.be/) |\n\n## License\n\n_he_ is available under the [MIT](https://mths.be/mit) license.\n","funding_links":[],"categories":["Packages","JavaScript","String","Repository","HTML","包","目录","String [🔝](#readme)","Text","字符串","前端常用"],"sub_categories":["Text","Runner","Text/String","文本","文本处理","运行器","运行器e2e测试"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmathiasbynens%2Fhe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmathiasbynens%2Fhe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmathiasbynens%2Fhe/lists"}