TypeScript

Template Tag for Safe HTML

by @admin ADMIN

5h ago

May 31, 2026

Public

0 0 up · 0 down Sign in to vote

Build HTML strings with a tagged template literal that auto-escapes every interpolated value. Eliminates a class of XSS bugs without pulling in a templating library.

TypeScript

Raw

function esc(s: unknown): string {
  return String(s).replace(/[&<>"']/g, c => ({
    '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;',
  }[c]!));
}

export function html(strings: TemplateStringsArray, ...values: unknown[]): string {
  return strings.reduce((acc, str, i) =>
    acc + str + (i < values.length ? esc(values[i]) : ''), '');
}

const name = '<script>alert(1)</script>';
const out  = html`<p>Hello, ${name}!</p>`;
// '<p>Hello, &lt;script&gt;alert(1)&lt;/script&gt;!</p>'

Save your own code snippets

Create a free account and build your private vault. Share publicly whenever you want.

Get Started Free Sign In