Gathering detailed insights and metrics for html-escaper
Gathering detailed insights and metrics for html-escaper
A module to escape/unescape common problematic entities done the right way.
Installations
npm install html-escaperReleases
Unable to fetch releases
Developer
WebReflection
Developer Guide
BETA
Module System
ESM
Min. Node Version
Typescript Support
No
Node Version
15.8.0
NPM Version
6.14.11
Statistics
107 Stars
28 Commits
6 Forks
6 Watching
3 Branches
1 Contributors
Updated on 03 Nov 2024
Bundle Size
572.00 B
Minified
344.00 B
Minified + Gzipped
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
4,067,338,875
Last day
-5.7%
5,485,082
Compared to previous day
Last week
0.8%
28,808,963
Compared to previous week
Last month
11.7%
121,889,660
Compared to previous month
Last year
17.6%
1,272,062,004
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
html-escaper
A simple module to escape/unescape common problematic entities.
Go sloppy if you like!
If you'd like to deal with any kind of input, including null or undefined, and even symbol kind, check html-sloppy-escaper out: it's this very same module, except it never throws errors 👍
V3 ESM Only Release
The version 3 of this module ditches entirely legacy browsers and nodejs with broken loaders, such as v13.0.0 and v13.1.0.
As the code is basically identical, simply stick with version 2 if you have any issue with this one 👋
How
This package is available in npm so npm install html-escaper is all you need to do, using eventually the global flag too.
Once the module is present
1import {escape, unescape} from 'html-escaper'; 2 3escape('string'); 4unescape('escaped string');
Why
there is basically one rule only: do not ever replace one char after another if you are transforming a string into another.
1// WARNING: THIS IS WRONG 2// if you are that kind of dev that does this 3function escape(s) { 4 return s.replace(/&/g, "&") 5 .replace(/</g, "<") 6 .replace(/>/g, ">") 7 .replace(/'/g, "'") 8 .replace(/"/g, """); 9} 10 11// you might be the same dev that does this too 12function unescape(s) { 13 return s.replace(/&/g, "&") 14 .replace(/</g, "<") 15 .replace(/>/g, ">") 16 .replace(/'/g, "'") 17 .replace(/"/g, '"'); 18} 19 20// guess what we have here ? 21unescape('&lt;'); 22 23// now guess this XSS too ... 24unescape('&lt;script&gt;alert("yo")&lt;/script&gt;'); 25 26
The last example will produce <script>alert("yo")</script> instead of the expected <script>alert("yo")</script>.
Nothing like this could possibly happen if we grab all chars at once and either ways.
It's just a fortunate case that after swapping & with & no other replace will be affected, but it's not portable and universally a bad practice.
Grab all chars at once, no excuses!
more details
As somebody might think it's an unescape issue only, it's not. Being an anti-pattern with side effects works both ways.
As example, changing the order of the replacement in escaping would produce the unexpected:
1function escape(s) { 2 return s.replace(/</g, "<") 3 .replace(/>/g, ">") 4 .replace(/'/g, "'") 5 .replace(/"/g, """) 6 .replace(/&/g, "&"); 7} 8 9escape('<'); // &lt; instead of <
If we do not want to code with the fear that the order wasn't perfect or that our order in either escaping or unescaping is different from the order another method or function used, if we understand the issue and we agree it's potentially a disaster prone approach, if we add the fact in this case creating 4 RegExp objects each time and invoking 4 times .replace trough the String.prototype is also potentially slower than creating one function only holding one object, or holding the function too, we should agree there is not absolutely any valid reason to keep proposing a char-by-char implementation.
We have proofs this approach can fail already so ... why should we risk? Just avoid and grab all chars at once or simply use this tiny utility.
Backtick
Internt explorer < 9 has some backtick issue
For compatibility sake with common server-side HTML entities encoders and decoders, and in order to have the most reliable I/O, this little utility will NOT fix this IE < 9 problem.
It is also important to note that if we create valid HTML and we set attributes at runtime through this utility, backticks in strings cannot possibly affect attribute behaviors.
1var img = new Image(); 2img.src = html.escape( 3 'x` `<script>alert(1)</script>"` `' 4); 5// it won't cause problems even in IE < 9
However, if you use innerHTML and you target IE < 9 then this might be a problem.
Accordingly, if you need more chars and/or backticks to be escaped and unescaped, feel free to use alternatives like lodash or he
Here a bit more of my POV and why I haven't implemented same thing alternatives did. Good news: those are alternatives ;-)
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.txt:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.txt:0
Reason
Found 0/27 approved changesets -- score normalized to 0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 2 are checked with a SAST tool
Score
3
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More