xss-escape

Escapes content for prevention of XSS (Cross Site Scripting) attacks.

Usage no npm install needed!

<script type="module">
  import xssEscape from 'https://cdn.skypack.dev/xss-escape';
</script>

README

xss-escape

Escapes strings for safe insertion into html, and helps prevents cross site scripting attacks.

xss-escape escapes the following characters to their respective html character codes.

  • & -> &amp;
  • < -> &lt;
  • > -> &gt;
  • " -> &quot;
  • ' -> &#x27;
  • / -> &#x2F;
  • Note that xss-escape only protects data being used in the body of html elements. It does not protect in other contexts such as html attribute or url contexts.

In NodeJS

npm install xss-escape

var xssEscape = require('xss-escape');
var escapedString = xssEscape(unsafeString);

In the Browser

<script src="path/to/xss-escape.js"></script>
<script>
    var escapedString = xssEscape(unsafeString);
</script>

Can be used with nested objects or arrays.

var escapedObject = xssEscape({ a: 'foo', [{ b: 'bar' }, 'baz' ] });

Run Tests

While in the project's root directory.

  • npm install
  • nodeunit test.js

or run tests on every file save.

  • grunt watch

Run Benchmarks

While in the project's root directory run.

  • npm install
  • grunt benchmark