how to escape xml entities in javascript?

Question

In JavaScript (server side nodejs) I'm writing a program which generates xml as output.

I am building the xml by concatenating a string:

str += '<' + key + '>'; str += value; str += '</' + key + '>'; 

The problem is: What if value contains characters like '&', '>' or '<'? What's the best way to escape those characters?

or is there any javascript library around which can escape XML entities?

Answer 1

HTML encoding is simply replacing &, ", ', < and > chars with their entity equivalents. Order matters, if you don't replace the & chars first, you'll double encode some of the entities:

if (!String.prototype.encodeHTML) {   String.prototype.encodeHTML = function () {     return this.replace(/&/g, '&amp;')                .replace(/</g, '&lt;')                .replace(/>/g, '&gt;')                .replace(/"/g, '&quot;')                .replace(/'/g, '&apos;');   }; } 

_{As @Johan B.W. de Vries pointed out, this will have issues with the tag names, I would like to clarify that I made the assumption that this was being used for the value only}

Conversely if you want to decode HTML entities¹, make sure you decode & to & after everything else so that you don't double decode any entities:

if (!String.prototype.decodeHTML) {   String.prototype.decodeHTML = function () {     return this.replace(/&apos;/g, "'")                .replace(/&quot;/g, '"')                .replace(/&gt;/g, '>')                .replace(/&lt;/g, '<')                .replace(/&amp;/g, '&');   }; } 

_{1 just the basics, not including © to © or other such things}

---

As far as libraries are concerned. Underscore.js (or Lodash if you prefer) provides an _.escape method to perform this functionality.