Skip to main content
On this page

@std/html

Overview Jump to heading

Functions for HTML tasks such as escaping or unescaping HTML entities.

import { unescape } from "@std/html/entities";
import { assertEquals } from "@std/assert";

assertEquals(unescape("&lt;&gt;'&amp;AA"), "<>'&AA");
assertEquals(unescape("&thorn;&eth;"), "&thorn;&eth;");

Add to your project Jump to heading

deno add jsr:@std/html

See all symbols in @std/html on

What is this package? Jump to heading

A utility library for safely escaping and unescaping HTML entities to prevent XSS vulnerabilities when inserting user-provided content into HTML.

Why use @std/html? Jump to heading

Your application may need to display user-generated content within HTML. To prevent cross-site scripting (XSS) attacks, it is crucial to escape special characters like <, >, &, ", and ' before embedding user input into HTML.

Examples Jump to heading

import { escape, unescape } from "@std/html/entities";

const safe = escape(`<img src=x onerror=alert(1)>`); // &lt;img src=x onerror=alert(1)&gt;
const back = unescape("&amp;lt;b&amp;gt;ok&amp;lt;/b&amp;gt;"); // <b>ok</b>

Tips Jump to heading

  • Escaping and unescaping targets entities is not full HTML sanitization. Use a sanitizer for removing tags/attributes.
  • Escaping is idempotent when run once; avoid double-escaping (&amp;amp;).

Did you find what you needed?

Privacy policy