escape()

escape(str): string

Escapes HTML special characters to their corresponding entities.

note

Escapes &, <, >, ", and '. Essential for XSS prevention.

---

Parameters

str: string

The string to escape.

---

Returns: string

The escaped string.

---

See Also

unescape for the inverse operation.

---

Since

2.0.0

---

Performance

O(n) time where n is string length. Single regex pass with object lookup.

---

Also known as

escape (Lodash, es-toolkit) · escapeHTML (Radashi) · escapeHtml (Modern Dash) · ❌ (Remeda, Ramda, Effect, Antfu)

---

Example

escape('<div>');   // => '&lt;div&gt;'
escape('a & b');   // => 'a &amp; b'
escape('"hello"'); // => '&quot;hello&quot;'
escape('<script>alert("XSS")</script>');
// => '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'

---

How it works?

Escapes HTML special characters to their corresponding entities. Essential for XSS prevention.

Character Mapping

Character	Entity
&	&
<	&lt;
>	&gt;
"	&quot;
'	&#39;

XSS Prevention

Roundtrip with unescape

---

Use Cases

Prevent XSS 📌

Escape unsafe characters in strings before rendering to HTML. Critical for security when displaying user-generated content.

#prevent#XSS#security#escape#HTML#injection

const safeHtml = escape('<script>alert("xss")</script>');
// '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'

Sanitize user comments

Escape HTML entities in user-submitted content before display.

#sanitize#comments#user-content#entities#HTML#escape

const comment = escape('I <3 this product & service!');
// 'I &lt;3 this product &amp; service!'

Escape user input in HTML email templates

Prevent HTML injection when inserting user-provided data into email templates.

#email#template#HTML#escape#injection#safe

const html = `
  <h1>Hello ${escape(userName)}</h1>
  <p>Your message: ${escape(userMessage)}</p>
`;
sendEmail({ to: recipient, html });