// escape ['&'].concat(['"', "'", '<', '>']) (in lexical order)
function escapeHtml(unsafe) {
return unsafe
// & must be escaped first (to prevent double escaping)
.replaceAll('&', '&')
// these are in lexicographic sort order
.replaceAll('"', '"')
.replaceAll("'", ''')
.replaceAll('<', '<')
.replaceAll('>', '>');
}
Or strip all html (pre-render), client-side:
function sanitize(s) {
let d = document.createElement("div");
d.textContent = s;
return d.innerHTML;
}
Or strip all html (pre-render), client-side:
Note: use
d.innerText()
for post-renderSee also: