
Security News
Create React App Officially Deprecated Amid React 19 Compatibility Issues
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
Properly escape JSON for usage as an object literal inside of a `<script>` tag
The htmlescape npm package is used to escape and unescape HTML entities in strings. This is particularly useful for preventing XSS (Cross-Site Scripting) attacks by ensuring that any HTML content is properly escaped before being rendered in a web page.
Escape HTML
This feature allows you to escape HTML entities in a string to prevent XSS attacks. The code sample demonstrates how to convert potentially dangerous HTML content into a safe string.
const htmlescape = require('htmlescape');
const unsafeString = '<script>alert("XSS")</script>';
const safeString = htmlescape(unsafeString);
console.log(safeString); // <script>alert("XSS")</script>
Unescape HTML
This feature allows you to unescape HTML entities in a string. The code sample demonstrates how to convert an escaped HTML string back to its original form.
const htmlescape = require('htmlescape');
const escapedString = '<script>alert("XSS")</script>';
const unescapedString = htmlescape.unescape(escapedString);
console.log(unescapedString); // <script>alert("XSS")</script>
The 'he' package is a robust HTML entity encoder/decoder. It supports both escaping and unescaping of HTML entities, similar to htmlescape, but offers more comprehensive support for various HTML entities and is known for its performance.
The 'entities' package provides functions to encode and decode HTML entities. It is similar to htmlescape in functionality but offers additional features like support for XML entities and more configuration options.
The 'escape-html' package is a simple utility for escaping HTML entities. It is lightweight and focuses solely on escaping HTML, making it a straightforward alternative to htmlescape for this specific task.
Properly escape JSON for usage as an object literal inside of a <script>
tag. Use htmlescape
in place of JSON.stringify
. For more info see JSON: The JavaScript subset that isn't.
from | to |
---|---|
& | \\u0026 |
> | \\u003e |
< | \\u003c |
\u2028 | \\u2028 |
\u2029 | \\u2029 |
var htmlescape = require('htmlescape');
htmlescape({prop:'value'});
//=> '{"prop":"value"}'
Or in your templates:
<script>
var payload = <%= htmlescape(payload) %>;
</script>
FAQs
Properly escape JSON for usage as an object literal inside of a `<script>` tag
The npm package htmlescape receives a total of 825,490 weekly downloads. As such, htmlescape popularity was classified as popular.
We found that htmlescape demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
Security News
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
Security News
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.