@std/html
Overview Jump to heading
Functions for HTML tasks such as escaping or unescaping HTML entities.
import { unescape } from "@std/html/entities";
import { assertEquals } from "@std/assert";
assertEquals(unescape("<>'&AA"), "<>'&AA");
assertEquals(unescape("þð"), "þð");
Add to your project Jump to heading
deno add jsr:@std/html
See all symbols in @std/html on
What is this package? Jump to heading
A utility library for safely escaping and unescaping HTML entities to prevent XSS vulnerabilities when inserting user-provided content into HTML.
Why use @std/html? Jump to heading
Your application may need to display user-generated content within HTML. To
prevent cross-site scripting (XSS) attacks, it is crucial to escape special
characters like <
, >
, &
, "
, and '
before embedding user input into
HTML.
Examples Jump to heading
import { escape, unescape } from "@std/html/entities";
const safe = escape(`<img src=x onerror=alert(1)>`); // <img src=x onerror=alert(1)>
const back = unescape("&lt;b&gt;ok&lt;/b&gt;"); // <b>ok</b>
Tips Jump to heading
- Escaping and unescaping targets entities is not full HTML sanitization. Use a sanitizer for removing tags/attributes.
- Escaping is idempotent when run once; avoid double-escaping (
&amp;
).