Try it yourself with our free Html Entity Encoder tool — runs entirely in your browser, no signup needed.

How to HTML encode in Node.js

How to HTML encode in Node.js

HTML encoding is the process of converting special characters in a string into their corresponding HTML entities. This is a crucial step in preventing cross-site scripting (XSS) attacks and ensuring the security of your web application. In Node.js, HTML encoding can be achieved using a few different methods. In this guide, we will explore the most effective way to HTML encode in Node.js.

Quick Example

Here is a minimal example of how to HTML encode a string in Node.js:

const he = require('he');

const input = '<script>alert("XSS")</script>';
const encoded = he.escape(input);

console.log(encoded); // Output: &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;

To use this code, you will need to install the he package using npm:

npm install he

Step-by-Step Breakdown

Let's take a closer look at the code:

  • const he = require('he');: We import the he package, which provides a simple and efficient way to HTML encode strings.
  • const input = '<script>alert("XSS")</script>';: We define a string that contains a malicious script tag. This is the input we want to HTML encode.
  • const encoded = he.escape(input);: We use the he.escape() function to HTML encode the input string. This function replaces special characters with their corresponding HTML entities.
  • console.log(encoded);: We log the encoded string to the console.

Handling Edge Cases

Empty/Null Input

If the input string is empty or null, the he.escape() function will return an empty string. This is the expected behavior.

const input = '';
const encoded = he.escape(input);
console.log(encoded); // Output: ''

Invalid Input

If the input is not a string, the he.escape() function will throw a TypeError. To handle this, you can add a simple type check:

const input = 123;
if (typeof input !== 'string') {
  throw new Error('Input must be a string');
}
const encoded = he.escape(input);
console.log(encoded);

Large Input

The he.escape() function can handle large input strings without any issues. However, if you need to encode a very large string, you may want to consider using a streaming approach to avoid memory issues.

const largeInput = '...very large string...';
const encoded = [];
for (let i = 0; i < largeInput.length; i += 1024) {
  const chunk = largeInput.slice(i, i + 1024);
  encoded.push(he.escape(chunk));
}
const finalEncoded = encoded.join('');
console.log(finalEncoded);

Unicode/Special Characters

The he.escape() function correctly handles Unicode and special characters. For example:

const input = 'Hello, Sérgio!';
const encoded = he.escape(input);
console.log(encoded); // Output: Hello, S&#233;rgio!

Common Mistakes

1. Not checking for null/undefined input

// Wrong
const encoded = he.escape(input);

// Corrected
if (input != null) {
  const encoded = he.escape(input);
  console.log(encoded);
} else {
  console.log('Input is null or undefined');
}

2. Not handling non-string input

// Wrong
const input = 123;
const encoded = he.escape(input);

// Corrected
if (typeof input === 'string') {
  const encoded = he.escape(input);
  console.log(encoded);
} else {
  throw new Error('Input must be a string');
}

3. Not using the correct encoding function

// Wrong
const encoded = input.replace(/&/g, '&amp;');

// Corrected
const encoded = he.escape(input);

Performance Tips

1. Use the he package

The he package is optimized for performance and is the recommended way to HTML encode strings in Node.js.

2. Avoid using regular expressions

Regular expressions can be slow and inefficient for HTML encoding. Instead, use the he.escape() function.

3. Use a streaming approach for large input

If you need to encode very large strings, consider using a streaming approach to avoid memory issues.

FAQ

Q: What is the difference between HTML encoding and URL encoding?

A: HTML encoding is used to encode strings for display in HTML documents, while URL encoding is used to encode strings for use in URLs.

Q: Can I use the he package in the browser?

A: Yes, the he package can be used in the browser, but it requires a browser-specific build.

Q: How do I handle malformed input?

A: You can use a try-catch block to catch any errors that occur during encoding.

Q: Can I customize the encoding function?

A: Yes, the he package provides options for customizing the encoding function.

Q: Is the he package secure?

A: Yes, the he package is designed to be secure and follows best practices for HTML encoding.

Related Resources

Html Entity Encoder

Use the interactive html entity encoder tool

More Html Entity Encoder Examples

See all languages and use cases

All Code Examples

Browse examples for every language and use case

All Developer Tools

50+ free online developer tools

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 60+ developer tools. One command: npx @codetidy/mcp