Great points above! From my experience in larger projects, especially where edge cases pop up, using a dedicated library for javascript escape html is the most robust and future-proof approach.
One solid choice is the he (HTML Entities) library:
npm install he
Then in your code:
const he = require('he');
const unsafeString = '<div>This is "unsafe" text!</div>';
const safeString = he.escape(unsafeString);
console.log(safeString); // <div>This is "unsafe" text!</div>
Why this works:
- Comprehensive: Handles complex Unicode, edge cases, and less common entities beyond the usual suspects.
- Convenient: Well-maintained and tested — you don’t have to reinvent the wheel.
- Scalable: Perfect if you’re already using npm or bundlers and want to integrate professional-level solutions.
For production-grade projects or when you want peace of mind, libraries like he are the way to go.