Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 173 down vote favorite
43

Does anyone know of an easy way to escape HTML from strings in jQuery? I need to be able to pass an arbitrary string and have it properly escaped for display in an HTML page (preventing JavaScript/HTML injection attacks). I'm sure it's possible to extend jQuery to do this, but I don't know enough about the framework at the moment to accomplish this.

share|improve this question

16 Answers

up vote 151 down vote accepted

Since you're using jQuery, you can just set the element's text property:

// before:
// <div class="someClass">text</div>
var someHtmlString = "<script>alert('hi!');</script>";
var escaped = $("div.someClass").text(someHtmlString).html();
// after: 
// <div class="someClass">&lt;script&gt;alert('hi!');&lt;/script&gt;</div>
share|improve this answer
31  
You missed the point that you have to access $("div.someClass").html() to get the escaped version out. – Morten Christiansen Jan 30 '09 at 20:17
5  
This isn't cross browser safe if your string has whitespaces and \n \r \t chars in it – nivcaner Dec 4 '10 at 17:31
9  
@travis This is documented on the jQuery website: "Due to variations in the HTML parsers in different browsers, the text returned may vary in newlines and other white space." api.jquery.com/text – geofflee Mar 24 '11 at 11:48
1  
@geofflee hmm, interesting, thanks for that info! I'll do some testing, but it sounds like that's when .text() is called on some DOM nodes. I could be wrong, I'll report back... – travis Mar 24 '11 at 15:19
1  
Here's a JS bin to test with: jsbin.com/itahe4/7 Any amount of white-space I add doesn't seem to prevent the HTML from getting properly escaped. – travis Mar 24 '11 at 22:28
show 7 more comments
up vote 102 down vote 
$('<div/>').text('This is fun & stuff').html(); // "This is fun &amp; stuff"

Source: http://debuggable.com/posts/encode-html-entities-with-jquery:480f4dd6-13cc-4ce9-8071-4710cbdd56cb

share|improve this answer
6  
As mentioned in the above answer, this solution is not guaranteed to preserve whitespace. – geofflee Mar 24 '11 at 11:53
14  
It should be noted that this does nothing to escape single or double quotes. if you're planning to put the value into an HTML attribute, this can be a problem. – Kip Jun 16 '11 at 19:21
1  
@Kip: @travis found that jQuery's attr() method (as of at least 1.8.3) does its own encoding, so that unencoded strings can be passed directly; e.g.: $('<div/>').attr('test-attr', '\'Tis "fun" & stuff')[0].outerHTML – mklement0 Apr 13 at 5:08
up vote 37 down vote

There is also the solution from mustache.js

https://github.com/janl/mustache.js/blob/master/mustache.js#L82

 var entityMap = {
    "&": "&amp;",
    "<": "&lt;",
    ">": "&gt;",
    '"': '&quot;',
    "'": '&#39;',
    "/": '&#x2F;'
  };

  function escapeHtml(string) {
    return String(string).replace(/[&<>"'\/]/g, function (s) {
      return entityMap[s];
    });
  }
share|improve this answer
This helped me out. Thanks. Also, I can not believe JS doesn't have this native. – acidzombie24 Mar 2 at 21:45
1  
Note that, curiously, ' is mapped to an entity with a decimal format, whereas / uses the hex format. – mklement0 Apr 18 at 13:15
up vote 35 down vote

If you're escaping for HTML, there are only three that I can think of that would be really necessary:

html.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");

Depending on your use case, you might also need to do things like " to &quot;. If the list got big enough, I'd just use an array:

var escaped = html;
var findReplace = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g, "&gt;"], [/"/g, "&quot;"]]
for(var item in findReplace)
    escaped = escaped.replace(findReplace[item][0], findReplace[item][1]);

escapeURIComponent() will only escape it for URLs, not for HTML.

share|improve this answer
2  
I think your regular expressions need to be global for this to work, using /&/g instead of /&/. – Jed Schmidt Jun 17 '09 at 17:45
7  
This regular expression will produce strange results if the HTML in question already has escaped entities. For example, escaping "Tom &amp; Jerry" will produce "Tom &amp;amp; Jerry" – Ryan Nov 7 '10 at 18:24
5  
Please use var to declare item locally; anyway, don't use a for … in loop at all when looping through an array! Use an ordinary for loop instead. Oh, and it's encodeURIComponent, not escapeURIComponent. – Marcel Korpel Mar 16 '11 at 16:33
1  
If you are working with tag attributes, then you will also need to escape quotes and/or double quotes. The PHP documentation for htmlspecialchars contains a useful list of conversions that it performs. php.net/htmlspecialchars – geofflee Mar 24 '11 at 12:05
3  
Just a kind reminder for new people, don't use this if you intend to have non-english characters somewhere on your website ... Obviously this won't do because of characters with accents like 'é' : &eacute; Here's a list of html entities, for reference : w3schools.com/tags/ref_entities.asp – LoganWolfer Apr 1 '11 at 21:50
show 5 more comments
up vote 14 down vote

I wrote a tiny little function which does this. It only escapes ", &, < and > (but usually that's all you need anyway). It is slightly more elegant then the earlier proposed solutions in that it only uses one .replace() to do all the conversion.

var escapeHTML = (function () {
    'use strict';
    var chr = { '"': '&quot;', '&': '&amp;', '<': '&lt;', '>': '&gt;' };
    return function (text) {
        return text.replace(/[\"&<>]/g, function (a) { return chr[a]; });
    };
}());

And the function uses a closure to keep chr to itself without having to re-initialize it every time you call it. This is plain Javascript, no jQuery needed.

Escaping / and ' too

Edit in response to mklement's comment.

The above function can easily be expanded to include any character. To specify more characters to escape, simply insert them both in the character class in the regular expression (i.e. inside the /[...]/g) and as an entry in the chr object.

var escapeHTML = (function () {
    'use strict';
    var chr = {
        '"': '&quot;', '&': '&amp;', "'": '&#39;',
        '/': '&#47;',  '<': '&lt;',  '>': '&gt;'
    };
    return function (text) {
        return text.replace(/[\"&'\/<>]/g, function (a) { return chr[a]; });
    };
}());

Note the above use of &#39; for apostrophe (the symbolic entity &apos; might have been used instead – it is defined in XML, but was originally not included in the HTML spec and might therefore not be supported by all browsers. See: Wikipedia article on HTML character encodings). I also recall reading somewhere that using decimal entities is more widely supported than using hexadecimal, but I can't seem to find the source for that now though. (And there cannot be many browsers out there which does not support the hexadecimal entities.)

Note: Adding / and ' to the list of escaped characters isn't all that useful, since they do not have any special meaning in HTML and do not need to be escaped.

share|improve this answer
Nicely done; would you mind amending it to also escape ' and /? that would make it a more concise, self-contained alternative to @Tom Gruner's mustache source code-based solution. – mklement0 Apr 12 at 14:15
@mklement Added another example which includes ' and / for you. :) – Zrajm C Akfohg Apr 18 at 7:05
Thank you for taking the time, @Zrajm. Good point about not needing escaping; any idea why both mustache.js and underscore.js do it? Speaking of the latter: it only recognizes the numerical entities (representing ' and /'), in the uppercase hex form when un*escaping. Thus, text escaped in mustache.js - which curiously uses a *mix of hex. and decimal formats - would not be correctly unescaped in underscore.js. I wonder how other popular libraries deal with that. – mklement0 Apr 18 at 13:22
The lower case hex form is the most supported form, so that is (probably) the form that the libraries should convert to. (Of course both forms should work when converting from.) – Apostrophes ' have some sort of reserved function in XML (and thus XHTML, I imagine?), which is why XML (but not HTML) have the named entity &apos;. Exactly in why or in what way it is “reserved” I do not know. – Slashes are special in URLs, but that does not actually warrant them for inclusion in escaping HTML (as URL encoding is something completely different). – Zrajm C Akfohg Apr 20 at 1:29
Re &apos;: correct: safe use only in XHTML; straight from the crowd-source's mouth - emphasis mine: "(...) read by a conforming HTML processor, (...) use of &apos; or custom entity references may not be supported (...)" - in practice: modern browsers support it even in HTML. Re case in hex nums. (same source; emphasis mine):"The x must be lowercase in XML documents. […] The hhhh may mix uppercase and lowercase, though uppercase is the usual style." Leaves us to wonder who decided to encode slashes; perhaps really just a confusion between URI and HTML encoding? – mklement0 Apr 20 at 2:34
show 1 more comment
up vote 11 down vote

Try Underscore.string lib, it works with jQuery.

_.str.escapeHTML('<div>Blah blah blah</div>')

output:

'&lt;div&gt;Blah blah blah&lt;/div&gt;'
share|improve this answer
6  
The main underscore library now has an _.escape() utility function. – codeape Oct 11 '12 at 12:14
up vote 8 down vote

Here is a clean clear javascript function.
It will escape text such as "a few < many" into "a few &lt; many".

function escapeHtmlEntities (str) {
  if (typeof jQuery !== 'undefined') {
    // Create an empty div to use as a container,
    // then put the raw text in and get the HTML
    // equivalent out.
    return jQuery('<div/>').text(str).html();
  }

  // No jQuery, so use string replace.
  return str
    .replace(/&/g, '&amp;')
    .replace(/>/g, '&gt;')
    .replace(/</g, '&lt;')
    .replace(/"/g, '&quot;');
}
share|improve this answer
4  
if (jQuery !== undefined) { should be if (typeof jQuery !== 'undefined') { The code you have fails if jQuery is not defined – Juan Mendes Sep 25 '12 at 4:22
I have made the correction. Thank you. – Chris Nash Apr 8 at 8:59
up vote 5 down vote

If your're going the regex route, there's an error in tghw's example above.

<!-- WON'T WORK -  item[0] is an index, not an item -->

var escaped = html; 
var findReplace = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g,"&gt;"], [/"/g,
"&quot;"]]

for(var item in findReplace) {
     escaped = escaped.replace(item[0], item[1]);   
}


<!-- WORKS - findReplace[item[]] correctly references contents -->

var escaped = html;
var findReplace = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g, "&gt;"], [/"/g, "&quot;"]]

for(var item in findReplace) {
     escaped = escaped.replace(findReplace[item[0]], findReplace[item[1]]);
}
share|improve this answer
1  
I believe it should be for(var item in findReplace) { escaped = escaped.replace(findReplace[item][0], findReplace[item][1]); } – Chris Stephens Jun 23 '11 at 21:23
up vote 5 down vote

I've enhanced the mustache.js example adding the escapeHTML() method to the string object.

var __entityMap = {
    "&": "&amp;",
    "<": "&lt;",
    ">": "&gt;",
    '"': '&quot;',
    "'": '&#39;',
    "/": '&#x2F;'
};

String.prototype.escapeHTML = function() {
    return String(this).replace(/[&<>"'\/]/g, function (s) {
        return __entityMap[s];
    });
}

That way it is quite easy to use "Some <text>, more Text&Text".escapeHTML()

share|improve this answer
up vote 4 down vote

This is a nice safe example...

function escapeHtml(str) {
    if (typeof(str) == "string"){
        try{
            var newStr = "";
            var nextCode = 0;
            for (var i = 0;i < str.length;i++){
                nextCode = str.charCodeAt(i);
                if (nextCode > 0 && nextCode < 128){
                    newStr += "&#"+nextCode+";";
                }
                else{
                    newStr += "?";
                }
             }
             return newStr;
        }
        catch(err){
        }
    }
    else{
        return str;
    }
}
share|improve this answer
What types of exceptions are you suppressing there? – Stefan Majewsky Nov 16 '12 at 16:08
up vote 3 down vote

escape() and unescape() are intended to encode/decode strings for URLs, not HTML.

Actually, I use the following snippet to do the trick that doesn't require any framework:

var escapedHtml = html.replace(/&/g, '&amp;').replace(/>/g, '&gt;').replace(/</g, '&lt;').replace(/"/g, '&quot;');
share|improve this answer
If you're going to have "s then you need to add at least ' and `` to the fray. Those are only really needed for string tag data inside elements in html. For html data itself (outside tags) only the first 3 are required. – Marius 2 days ago
up vote 3 down vote 
unescape(escape("It's > 20% less complicated this way."))

Escaped string: "It%27s%20%3E%2020%25%20less%20complicated%20this%20way."

If the escaped spaces bother you, try:

unescape(escape("It's > 20% less complicated this way.").replace(/%20/g, " "))

Escaped string: "It%27s %3E 20%25 less complicated this way."

Note: This is only for easy embedding and doesn't break embedded HTML and scripts, for which this answer provides the jQuery and normal JS methods.

share|improve this answer
up vote 3 down vote 
function htmlEscape(str) {
    var stringval="";
    $.each(str, function (i, element) {
        alert(element);
        stringval += element
            .replace(/&/g, '&amp;')
            .replace(/"/g, '&quot;')
            .replace(/'/g, '&#39;')
            .replace(/</g, '&lt;')
            .replace(/>/g, '&gt;')
            .replace(' ', '-')
            .replace('?', '-')
            .replace(':', '-')
            .replace('|', '-')
            .replace('.', '-');
    });
    alert(stringval);
    return String(stringval);
}
share|improve this answer
up vote 1 down vote 
(function(undefined){
    var charsToReplace = {
        '&': '&amp;',
        '<': '&lt;',
        '>': '&gt;'
    };

    var replaceReg = new RegExp("[" + Object.keys(charsToReplace).join("") + "]", "g");
    var replaceFn = function(tag){ return charsToReplace[tag] || tag; };

    var replaceRegF = function(replaceMap) {
        return (new RegExp("[" + Object.keys(charsToReplace).concat(Object.keys(replaceMap)).join("") + "]", "gi"));
    };
    var replaceFnF = function(replaceMap) {
        return function(tag){ return replaceMap[tag] || charsToReplace[tag] || tag; };
    };

    String.prototype.htmlEscape = function(replaceMap) {
        if (replaceMap === undefined) return this.replace(replaceReg, replaceFn);
        return this.replace(replaceRegF(replaceMap), replaceFnF(replaceMap));
    };
})();

No global variables, some memory optimization. Usage: 

"some<tag>and&symbol©".htmlEscape({'©': '&copy;'})

result is: 

"some&lt;tag&gt;and&amp;symbol&copy;"
share|improve this answer
up vote 0 down vote 
function htmlDecode(t){
   if (t) return $('<div />').html(t).text();
}

works like a charm

share|improve this answer
up vote 0 down vote

After last tests I can recommend fastest and completely cross browser compatible native java script (DOM) solution:

function HTMLescape(html){
    return document.createElement('div')
        .appendChild(document.createTextNode(html))
        .parentNode
        .innerHTML
}

If you repeat it many times you can do it with once prepared variables:

//prepare variables
var DOMtext = document.createTextNode("test");
var DOMnative = document.createElement("span");
DOMnative.appendChild(DOMtext);

//main work for each case
function HTMLescape(html){
  DOMtext.nodeValue = html;
  return DOMnative.innerHTML
}

Look at my final performance comparison (stack question).

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.