1 min read

The html namespace contains two methods for HTML sanitizing. The escape method is mandatory when including plain text in HTML templates to prevent XSS attacks.

Example code:

  <h1>Hello ${html.escape(},</h1>

A user could register with the name <script>evil();</script>. This script will run when not properly escaped. With the html.escape method, the output becomes:

  <h1>Hello &lt;script&gt;evil();&lt;/script&gt;,</h1>

This variant will display the script to the user as if it was a usual name.


Escape plain text as HTML.

escape(input: string): string;


Convert HTML to plain text.

unescape(input: string): string;