htmlEscape top-level constant

HtmlEscape const htmlEscape

A String converter that converts characters to HTML entities.

This is intended to sanitize text before inserting the text into an HTML document. Characters that are meaningful in HTML are converted to HTML entities (like & for &).

The general converter escapes all characters that are meaningful in HTML attributes or normal element context. Elements with special content types (like CSS or JavaScript) may need a more specialized escaping that understands that content type.

If the context where the text will be inserted is known in more detail, it's possible to omit escaping some characters (like quotes when not inside an attribute value).

The escaped text should only be used inside quoted HTML attributes values or as text content of a normal element. Using the escaped text inside a tag, but not inside a quoted attribute value, is still dangerous.

Implementation

const HtmlEscape htmlEscape = HtmlEscape();