escape-goat

> Escape a string for use in HTML or the inverse [![Build Status](https://travis-ci.org/sindresorhus/escape-goat.svg?branch=master)](https://travis-ci.org/sindresorhus/escape-goat) ## Install ``` $ npm install escape-goat ``` ## Usage ```js const {htmlEscape, htmlUnescape, htmlEscapeTag, htmlUnescapeTag} = require('escape-goat'); htmlEscape('🦄 & 🐐'); //=> '🦄 & 🐐' htmlUnescape('🦄 & 🐐'); //=> '🦄 & 🐐' htmlEscape('Hello World'); //=> 'Hello <em>World</em>' const url = 'https://sindresorhus.com?x="🦄"'; htmlEscapeTag`Unicorn`; //=> 'Unicorn' const escapedUrl = 'https://sindresorhus.com?x="🦄"'; htmlUnescapeTag`URL from HTML: ${url}`; //=> 'URL from HTML: https://sindresorhus.com?x="🦄"' ``` ## API ### htmlEscape(string) Escapes the following characters in the given `string` argument: `&` `<` `>` `"` `'` ### htmlUnescape(htmlString) Unescapes the following HTML entities in the given `htmlString` argument: `&` `<` `>` `"` `'` ### htmlEscapeTag [Tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals) that escapes interpolated values. ### htmlUnescapeTag [Tagged template literal](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Template_literals#Tagged_template_literals) that unescapes interpolated values. ## Tip Ensure you always quote your HTML attributes to prevent possible [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting). ## FAQ ### Why yet another HTML escaping package? I couldn't find one I liked that was tiny, well-tested, and had both `.escape()` and `.unescape()`. ## License MIT © [Sindre Sorhus](https://sindresorhus.com)