current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Join the Stack Overflow Community
Stack Overflow is a community of 6.6 million programmers, just like you, helping each other.
Join them; it only takes a minute:
Sign up
up vote 458 down vote favorite
110

Does anyone know of an easy way to escape HTML from strings in jQuery? I need to be able to pass an arbitrary string and have it properly escaped for display in an HTML page (preventing JavaScript/HTML injection attacks). I'm sure it's possible to extend jQuery to do this, but I don't know enough about the framework at the moment to accomplish this.

share|improve this question
    
Also see perf: jsperf.com/… – Christophe Roussy Oct 27 '15 at 9:39

23 Answers 23

up vote 329 down vote accepted

Since you're using jQuery, you can just set the element's text property:

// before:
// <div class="someClass">text</div>
var someHtmlString = "<script>alert('hi!');</script>";

// set a DIV's text:
$("div.someClass").text(someHtmlString);
// after: 
// <div class="someClass">&lt;script&gt;alert('hi!');&lt;/script&gt;</div>

// get the text in a string:
var escaped = $("<div>").text(someHtmlString).html();
// value: 
// &lt;script&gt;alert('hi!');&lt;/script&gt;
share|improve this answer
50  
You missed the point that you have to access $("div.someClass").html() to get the escaped version out. – Morten Christiansen Jan 30 '09 at 20:17
13  
This isn't cross browser safe if your string has whitespaces and \n \r \t chars in it – nivcaner Dec 4 '10 at 17:31
17  
@travis This is documented on the jQuery website: "Due to variations in the HTML parsers in different browsers, the text returned may vary in newlines and other white space." api.jquery.com/text – geofflee Mar 24 '11 at 11:48
3  
@mklement if you're already using this solution, you won't have any issues with that doing something like: $(element2).attr("some-attr", $(element1).html()); See this example: jsbin.com/atibig/1/edit – travis Apr 12 '13 at 18:01
12  
This does NOT escape quotes and double quotes which is bad! wonko.com/post/html-escaping – Lior Mar 18 '14 at 10:10
up vote 392 down vote

There is also the solution from mustache.js

var entityMap = {
  '&': '&amp;',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#39;',
  '/': '&#x2F;',
  '`': '&#x60;',
  '=': '&#x3D;'
};

function escapeHtml (string) {
  return String(string).replace(/[&<>"'`=\/]/g, function (s) {
    return entityMap[s];
  });
}
share|improve this answer
18  
This helped me out. Thanks. Also, I can not believe JS doesn't have this native. – acidzombie24 Mar 2 '13 at 21:45
5  
Note that, curiously, ' is mapped to an entity with a decimal format, whereas / uses the hex format. – mklement0 Apr 18 '13 at 13:15
26  
This should be the accepted answer - it is simple, efficient, requires no dependencies and does exactly what is intended with no obscure hacks. – lorefnon Jul 29 '13 at 12:28
5  
what's the guidance on converting \n to <br>? – amwinter Oct 18 '13 at 8:02
5  
@amwinter, I extended script above adding "\n" : '<br>' to entity map and updated regexp to /[&<>"'\/]|[\n]/g – walv Jun 25 '14 at 16:30
up vote 162 down vote 
$('<div/>').text('This is fun & stuff').html(); // "This is fun &amp; stuff"

Source: http://debuggable.com/posts/encode-html-entities-with-jquery:480f4dd6-13cc-4ce9-8071-4710cbdd56cb

share|improve this answer
11  
As mentioned in the above answer, this solution is not guaranteed to preserve whitespace. – geofflee Mar 24 '11 at 11:53
37  
It should be noted that this does nothing to escape single or double quotes. if you're planning to put the value into an HTML attribute, this can be a problem. – Kip Jun 16 '11 at 19:21
6  
@Kip: @travis found that jQuery's attr() method (as of at least 1.8.3) does its own encoding, so that unencoded strings can be passed directly; e.g.: $('<div/>').attr('test-attr', '\'Tis "fun" & stuff')[0].outerHTML – mklement0 Apr 13 '13 at 5:08
    
I'm getting error '<div/>' is not a valid selector. with this solution. – tarekahf Nov 4 '16 at 20:26
1  
@tarekahf That's odd. What version of jQuery are you using? Does the example code work if you copy-paste it verbatim? Works fine with latest jQuery (3.1.0) here: jsbin.com/fazimigayo/1/edit?html,js,console,output (and it should work on all earlier versions too) – Henrik N Nov 5 '16 at 20:46
up vote 52 down vote

If you're escaping for HTML, there are only three that I can think of that would be really necessary:

html.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");

Depending on your use case, you might also need to do things like " to &quot;. If the list got big enough, I'd just use an array:

var escaped = html;
var findReplace = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g, "&gt;"], [/"/g, "&quot;"]]
for(var item in findReplace)
    escaped = escaped.replace(findReplace[item][0], findReplace[item][1]);

encodeURIComponent() will only escape it for URLs, not for HTML.

share|improve this answer
4  
I think your regular expressions need to be global for this to work, using /&/g instead of /&/. – Jed Schmidt Jun 17 '09 at 17:45
12  
This regular expression will produce strange results if the HTML in question already has escaped entities. For example, escaping "Tom &amp; Jerry" will produce "Tom &amp;amp; Jerry" – Ryan Nov 7 '10 at 18:24
11  
Please use var to declare item locally; anyway, don't use a for … in loop at all when looping through an array! Use an ordinary for loop instead. Oh, and it's encodeURIComponent, not escapeURIComponent. – Marcel Korpel Mar 16 '11 at 16:33
4  
Just a kind reminder for new people, don't use this if you intend to have non-english characters somewhere on your website ... Obviously this won't do because of characters with accents like 'é' : &eacute; Here's a list of html entities, for reference : w3schools.com/tags/ref_entities.asp – LoganWolfer Apr 1 '11 at 21:50
9  
@Ryan: While it's worth pointing out that this solution doesn't handle already-encoded strings correctly, it's also worth nothing that the same applies to most - possibly all - solutions on this page. – mklement0 Apr 12 '13 at 14:21
up vote 35 down vote

I wrote a tiny little function which does this. It only escapes ", &, < and > (but usually that's all you need anyway). It is slightly more elegant then the earlier proposed solutions in that it only uses one .replace() to do all the conversion. (EDIT 2: Reduced code complexity making the function even smaller and neater, if you're curious about the original code see end of this answer.)

function escapeHtml(text) {
    'use strict';
    return text.replace(/[\"&<>]/g, function (a) {
        return { '"': '&quot;', '&': '&amp;', '<': '&lt;', '>': '&gt;' }[a];
    });
}

This is plain Javascript, no jQuery used.

Escaping / and ' too

Edit in response to mklement's comment.

The above function can easily be expanded to include any character. To specify more characters to escape, simply insert them both in the character class in the regular expression (i.e. inside the /[...]/g) and as an entry in the chr object. (EDIT 2: Shortened this function too, in the same way.)

function escapeHtml(text) {
    'use strict';
    return text.replace(/[\"&'\/<>]/g, function (a) {
        return {
            '"': '&quot;', '&': '&amp;', "'": '&#39;',
            '/': '&#47;',  '<': '&lt;',  '>': '&gt;'
        }[a];
    });
}

Note the above use of &#39; for apostrophe (the symbolic entity &apos; might have been used instead – it is defined in XML, but was originally not included in the HTML spec and might therefore not be supported by all browsers. See: Wikipedia article on HTML character encodings). I also recall reading somewhere that using decimal entities is more widely supported than using hexadecimal, but I can't seem to find the source for that now though. (And there cannot be many browsers out there which does not support the hexadecimal entities.)

Note: Adding / and ' to the list of escaped characters isn't all that useful, since they do not have any special meaning in HTML and do not need to be escaped.

Original escapeHtml Function

EDIT 2: The original function used a variable (chr) to store the object needed for the .replace() callback. This variable also needed an extra anonymous function to scope it, making the function (needlessly) a little bit bigger and more complex.

var escapeHtml = (function () {
    'use strict';
    var chr = { '"': '&quot;', '&': '&amp;', '<': '&lt;', '>': '&gt;' };
    return function (text) {
        return text.replace(/[\"&<>]/g, function (a) { return chr[a]; });
    };
}());

I haven't tested which of the two versions are faster. If you do, feel free to add info and links about it here.

share|improve this answer
    
Nicely done; would you mind amending it to also escape ' and /? that would make it a more concise, self-contained alternative to @Tom Gruner's mustache source code-based solution. – mklement0 Apr 12 '13 at 14:15
    
@mklement Added another example which includes ' and / for you. :) – zrajm Apr 18 '13 at 7:05
    
Thank you for taking the time, @Zrajm. Good point about not needing escaping; any idea why both mustache.js and underscore.js do it? Speaking of the latter: it only recognizes the numerical entities (representing ' and /'), in the uppercase hex form when unescaping. Thus, text escaped in mustache.js - which curiously uses a mix of hex. and decimal formats - would not be correctly unescaped in underscore.js. I wonder how other popular libraries deal with that. – mklement0 Apr 18 '13 at 13:22
1  
The lower case hex form is the most supported form, so that is (probably) the form that the libraries should convert to. (Of course both forms should work when converting from.) – Apostrophes ' have some sort of reserved function in XML (and thus XHTML, I imagine?), which is why XML (but not HTML) have the named entity &apos;. Exactly in why or in what way it is “reserved” I do not know. – Slashes are special in URLs, but that does not actually warrant them for inclusion in escaping HTML (as URL encoding is something completely different). – zrajm Apr 20 '13 at 1:29
2  
Final thoughts: seems like encoding / is not needed, but encoding ' still seems useful to safely handle the case case where an encoded string is used as an attribute value enclosed in single quotes. – mklement0 Apr 20 '13 at 3:05
up vote 28 down vote

Easy enough to use underscore:

_.escape(string)

Underscore is a utility library that provides a lot of features that native js doesn't provide. There's also lodash which is the same API as underscore but was rewritten to be more performant.

share|improve this answer
up vote 23 down vote

Try Underscore.string lib, it works with jQuery.

_.str.escapeHTML('<div>Blah blah blah</div>')

output:

'&lt;div&gt;Blah blah blah&lt;/div&gt;'
share|improve this answer
19  
The main underscore library now has an _.escape() utility function. – codeape Oct 11 '12 at 12:14
up vote 23 down vote

Here is a clean, clear JavaScript function. It will escape text such as "a few < many" into "a few &lt; many".

function escapeHtmlEntities (str) {
  if (typeof jQuery !== 'undefined') {
    // Create an empty div to use as a container,
    // then put the raw text in and get the HTML
    // equivalent out.
    return jQuery('<div/>').text(str).html();
  }

  // No jQuery, so use string replace.
  return str
    .replace(/&/g, '&amp;')
    .replace(/>/g, '&gt;')
    .replace(/</g, '&lt;')
    .replace(/"/g, '&quot;');
}
share|improve this answer
6  
if (jQuery !== undefined) { should be if (typeof jQuery !== 'undefined') { The code you have fails if jQuery is not defined – Juan Mendes Sep 25 '12 at 4:22
1  
I have made the correction. Thank you. – Chris Nash Apr 8 '13 at 8:59
up vote 17 down vote

After last tests I can recommend fastest and completely cross browser compatible native java script (DOM) solution:

function HTMLescape(html){
    return document.createElement('div')
        .appendChild(document.createTextNode(html))
        .parentNode
        .innerHTML
}

If you repeat it many times you can do it with once prepared variables:

//prepare variables
var DOMtext = document.createTextNode("test");
var DOMnative = document.createElement("span");
DOMnative.appendChild(DOMtext);

//main work for each case
function HTMLescape(html){
  DOMtext.nodeValue = html;
  return DOMnative.innerHTML
}

Look at my final performance comparison (stack question).

share|improve this answer
1  
Is it necessary to use two nodes? How about just one: var p = document.createElement('p'); p.textContent = html; return p.innerHTML; – Dan Dascalescu Aug 13 '15 at 15:14
    
@DanDascalescu: According to MDN, the textContent function is only supported by Chrome 1+, Firefox 2, IE9, Opera 9.64 and Safari 3 (the latter two annotated "possibly earlier"). It would thus break the OPs "completely cross-browser compatible" claim. – zb226 Nov 11 '15 at 11:00
    
p.innerText = html; return p.innerHTML – Bekim Bacaj Nov 27 '16 at 8:58
up vote 14 down vote

I've enhanced the mustache.js example adding the escapeHTML() method to the string object.

var __entityMap = {
    "&": "&amp;",
    "<": "&lt;",
    ">": "&gt;",
    '"': '&quot;',
    "'": '&#39;',
    "/": '&#x2F;'
};

String.prototype.escapeHTML = function() {
    return String(this).replace(/[&<>"'\/]/g, function (s) {
        return __entityMap[s];
    });
}

That way it is quite easy to use "Some <text>, more Text&Text".escapeHTML()

share|improve this answer
up vote 14 down vote

escape() and unescape() are intended to encode / decode strings for URLs, not HTML.

Actually, I use the following snippet to do the trick that doesn't require any framework:

var escapedHtml = html.replace(/&/g, '&amp;')
                      .replace(/>/g, '&gt;')
                      .replace(/</g, '&lt;')
                      .replace(/"/g, '&quot;')
                      .replace(/'/g, '&apos;');
share|improve this answer
    
If you're going to have "s then you need to add at least ' and `` to the fray. Those are only really needed for string tag data inside elements in html. For html data itself (outside tags) only the first 3 are required. – Marius Jul 12 '13 at 12:01
up vote 11 down vote

I realize how late I am to this party, but I have a very easy solution that does not require jQuery.

escaped = new Option(unescaped).innerHTML;

Edit: This does not escape quotes. The only case where quotes would need to be escaped is if the content is going to be pasted inline to an attribute within an HTML string. It is hard for me to imagine a case where doing this would be good design.

share|improve this answer
    
This seems to be the most concise and easiest answer. – AntonB Sep 6 '16 at 22:19
    
This doesn't change quotes - at least right now in Firefox 52. – getsetbro Jan 10 at 20:55
    
Escaping quotes is only functionally relevant in attributes. Since we are escaping < and >, there is no benefit to escaping the quotes as well, unless the intent of the generated content is to go into an attribute. – Adam Leggett Jan 10 at 21:38
up vote 9 down vote

If you have underscore.js, use _.escape (more efficient than the jQuery method posted above):

_.escape('Curly, Larry & Moe'); // returns: Curly, Larry &amp; Moe
share|improve this answer
up vote 4 down vote

If your're going the regex route, there's an error in tghw's example above.

<!-- WON'T WORK -  item[0] is an index, not an item -->

var escaped = html; 
var findReplace = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g,"&gt;"], [/"/g,
"&quot;"]]

for(var item in findReplace) {
     escaped = escaped.replace(item[0], item[1]);   
}


<!-- WORKS - findReplace[item[]] correctly references contents -->

var escaped = html;
var findReplace = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g, "&gt;"], [/"/g, "&quot;"]]

for(var item in findReplace) {
     escaped = escaped.replace(findReplace[item[0]], findReplace[item[1]]);
}
share|improve this answer
2  
I believe it should be for(var item in findReplace) { escaped = escaped.replace(findReplace[item][0], findReplace[item][1]); } – Chris Stephens Jun 23 '11 at 21:23
up vote 3 down vote

This is a nice safe example...

function escapeHtml(str) {
    if (typeof(str) == "string"){
        try{
            var newStr = "";
            var nextCode = 0;
            for (var i = 0;i < str.length;i++){
                nextCode = str.charCodeAt(i);
                if (nextCode > 0 && nextCode < 128){
                    newStr += "&#"+nextCode+";";
                }
                else{
                    newStr += "?";
                }
             }
             return newStr;
        }
        catch(err){
        }
    }
    else{
        return str;
    }
}
share|improve this answer
2  
What types of exceptions are you suppressing there? – Stefan Majewsky Nov 16 '12 at 16:08
up vote 2 down vote 
(function(undefined){
    var charsToReplace = {
        '&': '&amp;',
        '<': '&lt;',
        '>': '&gt;'
    };

    var replaceReg = new RegExp("[" + Object.keys(charsToReplace).join("") + "]", "g");
    var replaceFn = function(tag){ return charsToReplace[tag] || tag; };

    var replaceRegF = function(replaceMap) {
        return (new RegExp("[" + Object.keys(charsToReplace).concat(Object.keys(replaceMap)).join("") + "]", "gi"));
    };
    var replaceFnF = function(replaceMap) {
        return function(tag){ return replaceMap[tag] || charsToReplace[tag] || tag; };
    };

    String.prototype.htmlEscape = function(replaceMap) {
        if (replaceMap === undefined) return this.replace(replaceReg, replaceFn);
        return this.replace(replaceRegF(replaceMap), replaceFnF(replaceMap));
    };
})();

No global variables, some memory optimization. Usage: 

"some<tag>and&symbol©".htmlEscape({'©': '&copy;'})

result is: 

"some&lt;tag&gt;and&amp;symbol&copy;"
share|improve this answer
up vote 2 down vote 
function htmlEscape(str) {
    var stringval="";
    $.each(str, function (i, element) {
        alert(element);
        stringval += element
            .replace(/&/g, '&amp;')
            .replace(/"/g, '&quot;')
            .replace(/'/g, '&#39;')
            .replace(/</g, '&lt;')
            .replace(/>/g, '&gt;')
            .replace(' ', '-')
            .replace('?', '-')
            .replace(':', '-')
            .replace('|', '-')
            .replace('.', '-');
    });
    alert(stringval);
    return String(stringval);
}
share|improve this answer
1  
beware, this throws away information – Jasen Oct 30 '15 at 1:13
up vote 1 down vote

You can easily do it with vanilla js.

Simply add a text node the document. It will be escaped by the browser.

var escaped = document.createTextNode("<HTML TO/ESCAPE/>")
document.getElementById("[PARENT_NODE]").appendChild(escaped)
share|improve this answer
up vote 1 down vote

2 simple methods that require NO JQUERY...

You can encode all characters in your string like this:

function encode(e){return e.replace(/[^]/g,function(e){return"&#"+e.charCodeAt(0)+";"})}

Or just target the main characters to worry about &, line breaks, <, >, " and ' like:

function encode(r){
return r.replace(/[\x26\x0A\<>'"]/g,function(r){return"&#"+r.charCodeAt(0)+";"})
}

var myString='Encode HTML entities!\n"Safe" escape <script></'+'script> & other tags!';

test.value=encode(myString);

testing.innerHTML=encode(myString);

/*************
* \x26 is &ampersand (it has to be first),
* \x0A is newline,
*************/
<p><b>What JavaScript Generated:</b></p>

<textarea id=test rows="3" cols="55"></textarea>

<p><b>What It Renders Too In HTML:</b></p>

<div id="testing">www.WHAK.com</div>

share|improve this answer
up vote 0 down vote 
function htmlDecode(t){
   if (t) return $('<div />').html(t).text();
}

works like a charm

share|improve this answer
    
text removes html tags, but $('<div />').html(t).html(); works – Bass Jobsen Aug 8 '13 at 19:50
up vote -1 down vote

This answer provides the jQuery and normal JS methods, but this is shortest without using the DOM:

unescape(escape("It's > 20% less complicated this way."))

Escaped string: It%27s%20%3E%2020%25%20less%20complicated%20this%20way.

If the escaped spaces bother you, try:

unescape(escape("It's > 20% less complicated this way.").replace(/%20/g, " "))

Escaped string: It%27s %3E 20%25 less complicated this way.

Unfortunately, the escape() function was deprecated in JavaScript version 1.5. encodeURI() or encodeURIComponent() are alternatives, but they ignore ', so the last line of code would turn into this:

decodeURI(encodeURI("It's > 20% less complicated this way.").replace(/%20/g, " ").replace("'", '%27'))

All major browsers still support the short code, and given the number of old websites, i doubt that will change soon.

share|improve this answer
    
This is for URL encoding. The question was about HTML escaping, which is very different. – thelem Oct 15 '15 at 9:22
    
@thelem, not if the strings are embedded in JavaScript arrays embedded in HTML, but i agree it was about plain HTML escaping so it can be immediately displayed as text. – Cees Timmerman Oct 15 '15 at 13:02
up vote -2 down vote

If you are saving this information in a database, its wrong to escape HTML using a client-side script, this should be done in the server. Otherwise its easy to bypass your XSS protection.

To make my point clear, here is a exemple using one of the answers:

Lets say you are using the function escapeHtml to escape the Html from a comment in your blog and then posting it to your server.

var entityMap = {
    "&": "&amp;",
    "<": "&lt;",
    ">": "&gt;",
    '"': '&quot;',
    "'": '&#39;',
    "/": '&#x2F;'
  };

  function escapeHtml(string) {
    return String(string).replace(/[&<>"'\/]/g, function (s) {
      return entityMap[s];
    });
  }

The user could:

  • Edit the POST request parameters and replace the comment with javascript code.
  • Overwrite the escapeHtml function using the browser console.

If the user paste this snippet in the console it would bypass the XSS validation:

function escapeHtml(string){
   return string
}
share|improve this answer
    
I disagree. To bypass this XSS protection you'd have to use a XSS attack (injecting a script that disables the escaping), which is what you are actually blocking. In certain cases it's actually more appropriate to escape on the client, for example if the data comes from a REST API that has to return standard JSON. – Qualcuno Mar 13 '15 at 18:00
    
@Qualcuno If you are doing this validation in the client and posting this information to the server trusting it was validated the user could simply edit the request and the script would be saved in the database. – Kauê Gimenes Mar 13 '15 at 18:12
    
@Qualcuno I included some examples to make my point more clear. – Kauê Gimenes Mar 13 '15 at 18:21
1  
The question was about escaping strings received from the server to display them on the browser. What you are saying is about escaping strings before submitting them to the server, which is a different thing (though you're right, there, and it goes back to the old rule never blindly accept any input from the client) – Qualcuno Mar 13 '15 at 18:26
    
@Qualcuno This is a popular question in Stackoverflow, and i believe this is an important point to be covered. Thats why i answered. – Kauê Gimenes Mar 13 '15 at 18:29
up vote -2 down vote

All solutions are useless if you dont prevent re-escape, e.g. most solutions would keep escaping & to &amp;.

escapeHtml = function (s) {
    return s ? s.replace(
        /[&<>'"]/g,
        function (c, offset, str) {
            if (c === "&") {
                var substr = str.substring(offset, offset + 6);
                if (/&(amp|lt|gt|apos|quot);/.test(substr)) {
                    // already escaped, do not re-escape
                    return c;
                }
            }
            return "&" + {
                "&": "amp",
                "<": "lt",
                ">": "gt",
                "'": "apos",
                '"': "quot"
            }[c] + ";";
        }
    ) : "";
};
share|improve this answer
1  
That's called double escaping and should be fixed by making sure your input data is not already escaped. What if you wanted to literally show &lt; to the user? Or perhaps the text is going to be reused elsewhere, and depend on the escaping having happened? – thelem Oct 15 '15 at 9:26

protected by Michael Berkowski May 26 '14 at 19:27

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).

Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged or ask your own question.