html-specialchars

A small library providing utility methods to escape special characters to their HTML entities as well as unescape their corresponding entity/numeric character references back to chars.

The escaped (→) and unescaped (←)

1. Syntax characters

There are three characters that should always appear in content as escapes, so that they do not interact with the syntax of the markup. These are part of the language for all documents based on XML and for HTML.

& ↔ &
< ↔ <
> ↔ >

& ← &
< ← <
> ← >

2. Quotations

" ↔ "
' ↔ '
 `  ↔ `

" ← "
' ← '
 `  ← `

There is still (2015) information around, that

[...] ' not recommended because its not in the HTML spec -
for this reason the XHTML specification recommends instead the
use of ' [...]

This refers to HTML 4.01 and should be obsolete with todays HTML 5.

3. OWASP Recommendation

You'll find further clarification in the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet

/ ↔ /
/ ← /

Installation

  npm install html-specialchars --save

Usage

  var html_specialchars = require('html-specialchars');

  var unsafeUserInput = 'Oh yes, <script>while(1);</script>' + 
                        'I really enjoyed your party!';
  
  var safeString = html_specialchars.escape(unsafeUserInput);
  
  var plainTextAgain = html_specialchars.unescape(safeString);

  console.log('User input: ' + unsafeUserInput);
  console.log('Escaped: ' + safeString);
  console.log('Unescaped: ' + plainTextAgain);

Development

If you want to contribute, do tests etc. please read the devnotes.

Release History

• 1.0.4 Updated readme.txt and package.json tags, removed .gitattributes and .editorconfig from production repo
• 1.0.3 Minor bug fixes in documentation, added version badge
• 1.0.2 Reorganisation of repository contents for being leaner when used in production
• 1.0.1 Minor bug fix
• 1.0.0 Initial release