Tagged template literal with XSS protection for untrusted content.
Security: Escapes &, <, >, ", ' to prevent script injection, tag injection, and attribute injection attacks.
&
<
>
"
'
Performance: Same optimizations as html with additional escaping step. Use html for trusted content to avoid escape overhead.
html
Critical for: User input, form data, API responses, comments, any external content.
const userInput = '<script>alert("XSS")</script>';safeHtml`<p>${userInput}</p>`// "<p><script>alert("XSS")</script></p>" Copy
const userInput = '<script>alert("XSS")</script>';safeHtml`<p>${userInput}</p>`// "<p><script>alert("XSS")</script></p>"
const users = [{name: '<script>', email: 'user@test.com'}];safeHtml`<table>${users.map(u => safeHtml`<tr><td>${u.name}</td></tr>`)}</table>`// Escapes user.name, keeps structure safe Copy
const users = [{name: '<script>', email: 'user@test.com'}];safeHtml`<table>${users.map(u => safeHtml`<tr><td>${u.name}</td></tr>`)}</table>`// Escapes user.name, keeps structure safe
Static template parts
Rest
Dynamic values for interpolation and escaping
Rendered HTML with escaped dynamic content
Tagged template literal with XSS protection for untrusted content.
Security: Escapes
&,<,>,",'to prevent script injection, tag injection, and attribute injection attacks.Performance: Same optimizations as
htmlwith additional escaping step. Usehtmlfor trusted content to avoid escape overhead.Critical for: User input, form data, API responses, comments, any external content.
Example
Example