Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sindresorhus/escape-goat

&🐐; Escape a string for use in HTML or the inverse
https://github.com/sindresorhus/escape-goat

caprine escape goat goats html javascript nodejs

Last synced: 3 days ago
JSON representation

&🐐; Escape a string for use in HTML or the inverse

Host: GitHub
URL: https://github.com/sindresorhus/escape-goat
Owner: sindresorhus
License: mit
Created: 2017-05-27T10:06:31.000Z (over 7 years ago)
Default Branch: main
Last Pushed: 2022-07-08T11:14:32.000Z (over 2 years ago)
Last Synced: 2025-01-17T03:04:28.275Z (10 days ago)
Topics: caprine, escape, goat, goats, html, javascript, nodejs
Language: JavaScript
Homepage:
Size: 1.67 MB
Stars: 520
Watchers: 7
Forks: 32
Open Issues: 0
Metadata Files:
- Readme: readme.md
- Funding: .github/funding.yml
- License: license
- Security: .github/security.md

Awesome Lists containing this project

README

        


	



> Escape a string for use in HTML or the inverse

## Install

```

$ npm install escape-goat

```

## Usage

```js

import {htmlEscape, htmlUnescape} from 'escape-goat';

htmlEscape('🦄 & 🐐');

//=> '🦄 & 🐐'

htmlUnescape('🦄 & 🐐');

//=> '🦄 & 🐐'

htmlEscape('Hello World');

//=> 'Hello <em>World</em>'

const url = 'https://sindresorhus.com?x="🦄"';

htmlEscape`Unicorn`;

//=> 'Unicorn'

const escapedUrl = 'https://sindresorhus.com?x="🦄"';

htmlUnescape`URL from HTML: ${escapedUrl}`;

//=> 'URL from HTML: https://sindresorhus.com?x="🦄"'

```

## API

### htmlEscape(string)

Escapes the following characters in the given `string` argument: `&` `<` `>` `"` `'`

The function also works as a [tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals) that escapes interpolated values.

**Note:** This method of escaping is only safe when inserting data into normal tags like `body`, `div`, `p`, `b`, `td`, etc. Inserting `htmlEscape`'d data into tags like `script` and `style` **opens your app to [XSS vulnerabilities](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-0-never-insert-untrusted-data-except-in-allowed-locations)**.

### htmlUnescape(htmlString)

Unescapes the following HTML entities in the given `htmlString` argument: `&` `<` `>` `"` `'`

The function also works as a [tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals) that unescapes interpolated values.

## Tip

Ensure you always quote your HTML attributes to prevent possible [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting).

## FAQ

### Why yet another HTML escaping package?

I couldn't find one I liked that was tiny, well-tested, and had both escape and unescape methods.