Fastest method to escape HTML tags as HTML entities?

react decode html entities
javascript regex html entities
javascript escape html
html code to string javascript
jquery escape html
html_entity_decode javascript
google script decode html entities
javascript escape xml

I'm writing a Chrome extension that involves doing a lot of the following job: sanitizing strings that might contain HTML tags, by converting <, > and & to &lt;, &gt; and &amp;, respectively.

(In other words, the same as PHP's htmlspecialchars(str, ENT_NOQUOTES) – I don't think there's any real need to convert double-quote characters.)

This is the fastest function I have found so far:

function safe_tags(str) {
    return str.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;') ;

But there's still a big lag when I have to run a few thousand strings through it in one go.

Can anyone improve on this? It's mostly for strings between 10 and 150 characters, if that makes a difference.

(One idea I had was not to bother encoding the greater-than sign – would there be any real danger with that?)

You could try passing a callback function to perform the replacement:

var tagsToReplace = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;'

function replaceTag(tag) {
    return tagsToReplace[tag] || tag;

function safe_tags_replace(str) {
    return str.replace(/[&<>]/g, replaceTag);

Here is a performance test: to compare with calling the replace function repeatedly, and using the DOM method proposed by Dmitrij.

Your way seems to be faster...

Why do you need it, though?

Guide to: Using HTML Tags/Characters in Labels – Appen Success , = function(string) { return ('' + string). replace(htmlEscaper, function(match) { return htmlEscapes[match]; }); }; When I input some html tag like < b> or < test> (without the space after "<") in my TextBoxes, When I submit the form I got the issue: Sys.WebForms.

Here's one way you can do this:

var escape = document.createElement('textarea');
function escapeHTML(html) {
    escape.textContent = html;
    return escape.innerHTML;

function unescapeHTML(html) {
    escape.innerHTML = html;
    return escape.textContent;

Here's a demo.

Escape HTML with Javascript (Example), (string) Escape special characters in the given string of text, such that it can be interpolated in HTML content. This function will escape the following characters: " , ' , & , < , and > . After bit of research I figured that if you are trying to escape </script> in JavaScript code so it can be safely embedded in html between <script> and </script> tags you should replace </script with </scr\ipt or </scri\pt.

Martijn's method as a prototype function:

String.prototype.escape = function() {
    var tagsToReplace = {
        '&': '&amp;',
        '<': '&lt;',
        '>': '&gt;'
    return this.replace(/[&<>]/g, function(tag) {
        return tagsToReplace[tag] || tag;

var a = "<abc>";
var b = a.escape(); // "&lt;abc&gt;"

component/escape-html: Escape string for use in HTML, htmlentities() is a PHP function which converts special characters (like <) into their escaped/encoded values (like <). This allows you to show to display the string without the browser reading it as HTML. I tried it and it works, but I've been warned much of the code from that project is poorly written, so I've kept it simple  HTML conversion using vkbeautify.js library. Tried this and it gives proper formatting in the alert dialog. However, in the main page only XML tag values are displayed in a continuous fashion.

The AngularJS source code also has a version inside of angular-sanitize.js.

var SURROGATE_PAIR_REGEXP = /[\uD800-\uDBFF][\uDC00-\uDFFF]/g,
    // Match everything outside of normal chars and " (quote character)
    NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g;
 * Escapes all potentially dangerous characters, so that the
 * resulting string can be safely inserted into attribute or
 * element text.
 * @param value
 * @returns {string} escaped text
function encodeEntities(value) {
  return value.
    replace(/&/g, '&amp;').
    replace(SURROGATE_PAIR_REGEXP, function(value) {
      var hi = value.charCodeAt(0);
      var low = value.charCodeAt(1);
      return '&#' + (((hi - 0xD800) * 0x400) + (low - 0xDC00) + 0x10000) + ';';
    replace(NON_ALPHANUMERIC_REGEXP, function(value) {
      return '&#' + value.charCodeAt(0) + ';';
    replace(/</g, '&lt;').
    replace(/>/g, '&gt;');

JavaScript, This object contains the 2 methods encode and decode. To convert a normal string to its html characters use the encode method : htmlentities. Well organized and easy to understand Web building tutorials with lots of examples of how to use HTML, CSS, JavaScript, SQL, PHP, Python, Bootstrap, Java and XML. w3schools .com THE WORLD'S LARGEST WEB DEVELOPER SITE

The fastest method is:

function escapeHTML(html) {
    return document.createElement('div').appendChild(document.createTextNode(html)).parentNode.innerHTML;

This method is about twice faster than the methods based on 'replace', see .


htmlEntities for JavaScript, A protip by gohan about escape, html, and javascript. That's a pretty standard way of doing it, my version used a <div> though: List of HTML entities for escaping. var htmlEscapes = { '&': '&', '<': '<', '>': '>',  To escape only inline HTML then set HtmlRenderer.ESCAPE_INLINE_HTML to true in options that are passed to HtmlRenderer.builder(DataHolder). To customize rendering of HTML blocks or inline HTML tags you would need to create an extension with a custom renderer that renders HtmlBlock or HtmlInline nodes.

Encode and Decode HTML entities using pure Javascript, Faster HTML entities encode/decode library. fast and safe way to escape and unescape &<>'" chars string contains methods that aren't included in the vanilla JavaScript string such as escaping html, decoding html entities, stripping tags,  Complete HTML 4 Entity Reference. All entities in the table below, will display correctly in all browsers, both in HTML4 and in HTML5 pages. For a complete HTML5 entity reference, please go to the next chapter.

html-entities, Fast HTML tag escape JavaScript function. escapeHTML.js. // see benchmark at String.prototype.escapeHTML = function()  Some characters are reserved in HTML and they have special meaning when used in HTML document. For example, you cannot use the greater than and less than signs or angle brackets within your HTML text because the browser will treat them differently and will try to draw a meaning related to HTML tag.

html entities decode, Extremely fast HTML escaping. This modules provides a function which escapes HTML's special characters. It performs a similar No. Unescaping HTML requires a lot of code, and we don't want to do it. Please use HTML::​Entities for it. HTML Escape / Unescape Escapes or unescapes an HTML file removing traces of offending characters that could be wrongfully interpreted as markup. The following characters are reserved in HTML and must be replaced with their corresponding HTML entities: