escape()

escape(str): string

Escapes HTML special characters to their corresponding entities.

remarque

Escapes &, <, >, ", and '. Essential for XSS prevention.

Parameters

str: `string`

The string to escape.

Returns: `string`

The escaped string.

Since

2.0.0

Performance

O(n) time where n is string length. Single regex pass with object lookup.

Also known as

escape (Lodash, es-toolkit) · escapeHTML (Radashi) · escapeHtml (Modern Dash) · ❌ (Remeda, Ramda, Effect, Antfu)

Example

escape('<div>');   // => '&lt;div&gt;'
escape('a & b');   // => 'a &amp; b'
escape('"hello"'); // => '&quot;hello&quot;'
escape('<script>alert("XSS")</script>');
// => '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'

How it works?

Escapes HTML special characters to their corresponding entities. Essential for XSS prevention.

Character Mapping

Character	Entity
`&`	`&`
`<`	`<`
`>`	`>`
`"`	`"`
`'`	`'`

XSS Prevention

Roundtrip with unescape

Use Cases

Prevent XSS 📌

Escape unsafe characters in strings before rendering to HTML. Critical for security when displaying user-generated content.

#prevent #XSS #security #escape #HTML #injection #a11y #seo

const safeHtml = escape('<script>alert("xss")</script>');
// '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'

Sanitize user comments

Escape HTML entities in user-submitted content before display.

#sanitize #comments #user-content #entities #HTML #escape

const comment = escape('I <3 this product & service!');
// 'I &lt;3 this product &amp; service!'

Escape user input in HTML email templates

Prevent HTML injection when inserting user-provided data into email templates.

#email #template #HTML #escape #injection #safe #a11y

const html = `
  <h1>Hello ${escape(userName)}</h1>
  <p>Your message: ${escape(userMessage)}</p>
`;
sendEmail({ to: recipient, html });

Sanitize chat messages in real-time

Escape user messages before rendering in a live chat interface. Critical for chat apps, comment sections, and any real-time messaging UI.

#chat #message #sanitize #real-time #websocket #security #XSS

ws.on("message", (raw) => {
  const data = JSON.parse(raw);
  const safeMessage = escape(data.text);

  appendMessage({
    author: escape(data.username),
    content: safeMessage,
    timestamp: data.timestamp,
  });
});

Escape dynamic content in SSR templates

Prevent XSS when injecting dynamic data into server-rendered HTML. Essential for SSR frameworks and server-side template engines.

#SSR #template #dynamic #content #server #rendering #seo #security

const renderProductPage = (product) => `
  <div class="product">
    <h1>${escape(product.name)}</h1>
    <p class="description">${escape(product.description)}</p>
    <span class="price">${escape(String(product.price))}</span>
  </div>
`;

Parameters​

str: string​

Returns: string​

See Also​

Since​

Performance​

Also known as​

Example​

How it works?​

Character Mapping​

XSS Prevention​

Roundtrip with unescape​

Use Cases​

Prevent XSS 📌​

Sanitize user comments​

Escape user input in HTML email templates​

Sanitize chat messages in real-time​

Escape dynamic content in SSR templates​