Hacker News new | past | comments | ask | show | jobs | submit login

Here is how mustache.js[0] does it:

    var entityMap = {
        "&": "&",
        "<": "&lt;",
        ">": "&gt;",
        '"': '&quot;',
        "'": '&#39;',
        "/": '&#x2F;'
     };

      function escapeHtml(string) {
        return String(string).replace(/[&<>"'\/]/g, function (s) {
          return entityMap[s];
        });
      }
also document.createTextNode will tell the browser not to render the children as html, whereas appending a dom element and innerHTML will.[1] I'm just assuming that behavior is correct in all browsers though.

[0]https://github.com/janl/mustache.js/blob/master/mustache.js#...

[1]https://jsfiddle.net/1dsygwoj/




Thanks I added that on top of JsHtmlSanitizer.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: