Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
@wordpress/escape-html
Advanced tools
@wordpress/escape-html is a utility package for escaping HTML entities in strings. It helps prevent XSS (Cross-Site Scripting) attacks by converting special characters into their corresponding HTML entities.
Escape HTML
This feature allows you to escape HTML entities in a string, converting special characters like <, >, and & into their corresponding HTML entities.
const { escapeHTML } = require('@wordpress/escape-html');
const unsafeString = '<script>alert("XSS")</script>';
const safeString = escapeHTML(unsafeString);
console.log(safeString); // <script>alert("XSS")</script>
Escape Attribute
This feature allows you to escape HTML attributes, ensuring that special characters are converted to their corresponding HTML entities.
const { escapeAttribute } = require('@wordpress/escape-html');
const unsafeAttribute = '" onmouseover="alert(1)"';
const safeAttribute = escapeAttribute(unsafeAttribute);
console.log(safeAttribute); // " onmouseover="alert(1)"
The 'he' package is a robust HTML entity encoder/decoder. It supports both encoding and decoding of HTML entities and is highly configurable. Compared to @wordpress/escape-html, 'he' offers more flexibility and options for handling HTML entities.
The 'html-escaper' package provides simple functions to escape and unescape HTML entities. It is lightweight and easy to use, similar to @wordpress/escape-html, but with a focus on simplicity and minimalism.
The 'lodash.escape' function is part of the Lodash library, which provides utility functions for common programming tasks. It escapes characters for inclusion in HTML, similar to @wordpress/escape-html, but is part of a larger utility library.
Escape HTML utils.
Install the module
npm install @wordpress/escape-html
This package assumes that your code will run in an ES2015+ environment. If you're using an environment that has limited or no support for such language features and APIs, you should include the polyfill shipped in @wordpress/babel-preset-default
in your code.
Returns a string with ampersands escaped. Note that this is an imperfect implementation, where only ampersands which do not appear as a pattern of named, decimal, or hexadecimal character references are escaped. Invalid named references (i.e. ambiguous ampersand) are still permitted.
Related
Parameters
string
: Original string.Returns
string
: Escaped string.Returns an escaped attribute value.
Related
Note we also escape the greater than symbol, as this is used by wptexturize to split HTML strings. This is a WordPress specific fix
Note that if a resolution for Trac#45387 comes to fruition, it is no longer
necessary for __unstableEscapeGreaterThan
to be used.
See: https://core.trac.wordpress.org/ticket/45387
Parameters
string
: Attribute value.Returns
string
: Escaped attribute value.Returns an escaped Editable HTML element value. This is different from escapeHTML
, because for editable HTML, ALL ampersands must be escaped in order to render the content correctly on the page.
Parameters
string
: Element value.Returns
string
: Escaped HTML element value.Returns an escaped HTML element value.
Related
Parameters
string
: Element value.Returns
string
: Escaped HTML element value.Returns a string with less-than sign replaced.
Parameters
string
: Original string.Returns
string
: Escaped string.Returns a string with quotation marks replaced.
Parameters
string
: Original string.Returns
string
: Escaped string.Returns true if the given attribute name is valid, or false otherwise.
Parameters
string
: Attribute name to test.Returns
boolean
: Whether attribute is valid.This is an individual package that's part of the Gutenberg project. The project is organized as a monorepo. It's made up of multiple self-contained software packages, each with a specific purpose. The packages in this monorepo are published to npm and used by WordPress as well as other software projects.
To find out more about contributing to this package or Gutenberg as a whole, please read the project's main contributor guide.
FAQs
Escape HTML utils.
We found that @wordpress/escape-html demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.