How do I encode an HTML element attribute

Question

How do I encode an HTML attribute from an EJS template in NodeJS. I need to do something like:

<img onmouseover=<% myString %> />

Where myString would then be properly escape and quoted to be a valid attribute.

chovy · Accepted Answer · 2012-10-08 19:39:44Z

4

You could try this:

npm install node-html-encoder

app.locals.encoder = require('node-html-encoder').Encoder;

<%= encoder.htmlEncode('<foo /> "bar"') %>

answered Oct 8, 2012 at 19:39

chovy

76.2k62 gold badges249 silver badges324 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

micnic · Accepted Answer · 2012-10-08 12:23:00Z

0

Short answer:

myString = myString.replace(/'|\\/g, '\\$&');

But if you need to escape HTML special characters too you can try:

myString = myString.replace(/&/g, '&amp;');
myString = myString.replace(/</g, '&lt;');
myString = myString.replace(/>/g, '&gt;');

P.S. take care to not escape JavaScript operators using the replacements for HTML characters!

answered Oct 8, 2012 at 12:23

micnic

11.3k5 gold badges46 silver badges56 bronze badges

-1 : Don't do things like this manually, because it's never as simple as it seems.

If you are going to encode attributes yourself, make sure you escape all the characters specified by OWASP