Expand description
javascript contextual output encoders.
provides five encoding contexts:
for_javascript— universal encoder, safe in HTML attributes, script blocks, and standalone .js filesfor_javascript_attribute— optimized for HTML event attributes (e.g.,onclick="...")for_javascript_block— optimized for<script>blocksfor_javascript_source— optimized for standalone .js / JSON filesfor_js_template— for ES6 template literal content (`...`)
§security notes
- the string literal encoders (
for_javascript,for_javascript_attribute,for_javascript_block,for_javascript_source) do not encode the grave accent (`). do not use them to embed data inside template literals — usefor_js_templateinstead. - these encoders are for string/template literal contexts only. they cannot make arbitrary javascript expressions, variable names, or property accessors safe.
for_javascript_blockandfor_javascript_sourceuse backslash escapes for quotes (\",\') which are not safe in HTML attribute contexts.for_javascript_attributedoes not escape/and is not safe in<script>blocks where</script>could appear.
Functions§
- for_
javascript - encodes
inputfor safe embedding in a javascript string literal. - for_
javascript_ attribute - encodes
inputfor safe embedding in a javascript string literal inside an HTML event attribute (e.g.,onclick="..."). - for_
javascript_ block - encodes
inputfor safe embedding in a javascript string literal inside an HTML<script>block. - for_
javascript_ source - encodes
inputfor safe embedding in a javascript string literal in a standalone .js or JSON file. - for_
js_ template - encodes
inputfor safe embedding inside an ES6 template literal (`...`). - write_
javascript - writes the javascript-encoded form of
inputtoout. - write_
javascript_ attribute - writes the javascript-attribute-encoded form of
inputtoout. - write_
javascript_ block - writes the javascript-block-encoded form of
inputtoout. - write_
javascript_ source - writes the javascript-source-encoded form of
inputtoout. - write_
js_ template - writes the template-literal-encoded form of
inputtoout.