sindresorhus / escape-goat Goto Github PK

View Code? Open in Web Editor NEW

502.0 7.0 32.0 1.71 MB

&🐐; Escape a string for use in HTML or the inverse

License: MIT License

JavaScript 87.04% TypeScript 12.96%

goats goat caprine escape html javascript nodejs

escape-goat's Introduction

Escape a string for use in HTML or the inverse

Install

$ npm install escape-goat

Usage

import {htmlEscape, htmlUnescape} from 'escape-goat';

htmlEscape('🦄 & 🐐');
//=> '🦄 &amp; 🐐'

htmlUnescape('🦄 &amp; 🐐');
//=> '🦄 & 🐐'

htmlEscape('Hello <em>World</em>');
//=> 'Hello &lt;em&gt;World&lt;/em&gt;'

const url = 'https://sindresorhus.com?x="🦄"';

htmlEscape`<a href="${url}">Unicorn</a>`;
//=> '<a href="https://sindresorhus.com?x=&quot;🦄&quot;">Unicorn</a>'

const escapedUrl = 'https://sindresorhus.com?x=&quot;🦄&quot;';

htmlUnescape`URL from HTML: ${escapedUrl}`;
//=> 'URL from HTML: https://sindresorhus.com?x="🦄"'

API

htmlEscape(string)

Escapes the following characters in the given string argument: & < > " '

The function also works as a tagged template literal that escapes interpolated values.

Note: This method of escaping is only safe when inserting data into normal tags like body, div, p, b, td, etc. Inserting htmlEscape'd data into tags like script and style opens your app to XSS vulnerabilities.

htmlUnescape(htmlString)

Unescapes the following HTML entities in the given htmlString argument: & < > " '

The function also works as a tagged template literal that unescapes interpolated values.

Tip

Ensure you always quote your HTML attributes to prevent possible XSS.

FAQ

Why yet another HTML escaping package?

I couldn't find one I liked that was tiny, well-tested, and had both escape and unescape methods.

escape-goat's People

Contributors

Stargazers

Watchers

Forkers

empia alex-keyes reonsaji ajhsu baradrupal anothermoon dijs x710894881 jefcurtis nicoleetlui mahovich silverwind richienb brunoss8 commonjs-bot mifi terrorizer1980 alexrogalskiy

escape-goat's Issues

Don't do this

Handling non-string values

Maybe you should handle non-string values passed to escape and unescape methods like:

// booleans
escapeGoat.escape(true);
escapeGoat.unescape(true);

// objects
escapeGoat.escape({hello: 'world'});
escapeGoat.unescape({hello: 'world'});

// other
escapeGoat.escape(null);
escapeGoat.escape(undefined);

// Any other non-string value like arrays, sets, maps, symbols, regexes

The origin of this issue is from linkify-urls package (dependent of escape-goat) where the following code would throw an error:

const linkifyUrls = require('linkify-urls');

linkifyUrls('See https://sindresorhus.com', {
  attributes: {
    class: 'unicorn',
    hidden: true // <- this thing
  }
});

// throws
// TypeError: input.replace is not a function

Some type checking would be helpful with either

converting all primitive values (boolean, null, undefined) to strings
or returning empty string for null and undefined and only converting boolean values to strings

Support unescaping all HTML escape codes.

Supporting decimal, hex, and all character entities would be very useful.

Merge tag functions

What do you think about overloading the regular htmlEscape/Unescape functions to automatically become tag functions? The detection would be simple: Array.isArray

Slow escaping

Use fast algorithm https://github.com/component/escape-html

Error [ERR_REQUIRE_ESM]: Must use import to load ES Module

I am running on Typescript and after updating to version 4.0.0 it started throwing this error: (3.0.0 works fine)

@sindresorhus any idea what could be behind it?

Add template literal tags

Before:

const g = require('escape-goat');
const escaped = `<html a=${g.escape(a)}><b>${g.escape(b)}</b> ${g.escape(c)}</html>`;

After:

const g = require('escape-goat');
const escaped = g.escapeTag`<html a=${a}><b>${b}</b> ${c}</html>`;

The code required is minimal and this can be improved further:

module.exports = function eskape(strs, ...vals) {
    var out = strs[0];

    for (let i = 0; i < vals.length; i++) {
        out = out + escape(vals[i]) + strs[i + 1];
    }

    return out;
}

Code from https://github.com/wbinnssmith/eskape/blob/master/src.js