Atta-panyi
commented
6 months ago for instance, An attacker might enter malicious code as their name, hoping it gets displayed on the website. If the website simply inserts this name into the HTML without any precautions, the attacker's code could be executed in the user's browser. This is XSS in action. The escape() function comes in to prevent this. It takes user input and replaces certain characters with their HTML entity equivalents. For instance, < becomes <, > becomes >, and " becomes ". These entities are displayed as plain text in the browser, stopping them from being interpreted as code.
https://github.com/Atta-panyi/Flapp/blame/06f484fd98c40e7d8605ec8051fb79736749db8b/README.md#L7