The html namespace contains two methods for HTML sanitizing. The escape method is mandatory when including plain text in HTML templates to prevent XSS attacks.
Example code:
`<div>
<h1>Hello ${html.escape(input.name)},</h1>
<p>...</p>
</div>`
A user could register with the name <script>evil();</script>
. This script will run when not properly escaped. With the html.escape method, the output becomes:
<div>
<h1>Hello <script>evil();</script>,</h1>
<p>...</p>
</div>
This variant will display the script to the user as if it was a usual name.
Escape
Escape plain text as HTML.
escape(input: string): string;
Unescape
Convert HTML to plain text.
unescape(input: string): string;