html-specialchars
A small library providing utility methods to escape
special characters
to their HTML entities as well as unescape
their corresponding entity/numeric
character references back to chars.
The escaped (→) and unescaped (←)
1. Syntax characters
There are three characters that should always appear in content as escapes, so that they do not interact with the syntax of the markup. These are part of the language for all documents based on XML and for HTML.
&
↔ &
<
↔ <
>
↔ >
&
← &
<
← <
>
← >
2. Quotations
"
↔ "
'
↔ '
` ↔ `
"
← "
'
← '
` ← `
There is still (2015) information around, that
[...]
'
not recommended because its not in the HTML spec -
for this reason the XHTML specification recommends instead the
use of'
[...]
This refers to HTML 4.01 and should be obsolete with todays HTML 5.
3. OWASP Recommendation
You'll find further clarification in the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet
/
↔ /
/
← /
Installation
npm install html-specialchars --save
Usage
var html_specialchars = ; var unsafeUserInput = 'Oh yes, <script>while(1);</script>' + 'I really enjoyed your party!'; var safeString = html_specialchars; var plainTextAgain = html_specialchars; console; console; console;
Development
If you want to contribute, do tests etc. please read the devnotes.
Release History
- 1.0.4 Updated readme.txt and package.json tags, removed .gitattributes and .editorconfig from production repo
- 1.0.3 Minor bug fixes in documentation, added version badge
- 1.0.2 Reorganisation of repository contents for being leaner when used in production
- 1.0.1 Minor bug fix
- 1.0.0 Initial release