Module escape

HTML, CSS, URL, and attribute sanitization utilities for the render pipeline.

Every piece of user-supplied content that flows into the HTML output must pass through one of these functions to prevent Cross-Site Scripting (XSS) and CSS injection attacks.

The module provides several layers of defense:

Text escaping (escapeHtml, escapeAttr, escapeJsString)
URL scheme blocking (isDangerousUrl) against javascript:, data:, vbscript:
Attribute allowlisting (isSafeAttribute) to block event handlers (on*)
CSS value sanitization (isDangerousCssValue, sanitizeStyleValue) with normalization to defeat CSS escape/comment bypass techniques
Composite attribute sanitization (sanitizeAttributes) combining all checks

Functions

escapeAttr
escapeHtml
escapeJsString
escapeStyleContent
isDangerousCssValue
isDangerousUrl
isSafeAttribute
isValidCssColor
isValidEmail
sanitizeAttributes
sanitizeCssColor
sanitizeStyleValue

Module escape

Functions

Settings

On This Page