UNPKG

html-template-tag

Version:

ES6 Tagged Template for compiling HTML template strings.

github.com/AntonioVdlC/html-template-tag

AntonioVdlC/html-template-tag

101 lines (71 loc) 2.88 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# html-template-tag [![version](https://img.shields.io/npm/v/html-template-tag.svg)](http://npm.im/html-template-tag) [![issues](https://img.shields.io/github/issues-raw/antoniovdlc/html-template-tag.svg)](https://github.com/AntonioVdlC/html-template-tag/issues) [![downloads](https://img.shields.io/npm/dt/html-template-tag.svg)](http://npm.im/html-template-tag) [![license](https://img.shields.io/npm/l/html-template-tag.svg)](http://opensource.org/licenses/MIT) ES6 Tagged Template for compiling HTML template strings. ## Installation This package is distributed via npm: ``` npm install html-template-tag ``` ## Usage ### String Interpolation At its core, this module just performs simple ES6 string interpolation. ```javascript var html = require("html-template-tag"); // - or - import html from "html-template-tag"; var name = `Antonio`; var string = html`Hello, ${name}!`; // "Hello, Antonio!" ``` Nevertheless, it escapes HTML special characters without refraining its use in loops! ```javascript var html = require("html-template-tag"); // - or - import html from "html-template-tag"; var names = ["Antonio", "Megan", "/><script>alert('xss')</script>"]; var string = html` <ul> ${names.map((name) => html` <li>Hello, ${name}!</li> `)} </ul> `; // "<ul><li>Hello, Antonio!</li><li>Hello, Megan!</li><li>Hello, /&gt;&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;!</li></ul>" ``` ### Skip autoscaping You can use double dollar signs in interpolation to mark the value as safe (which means that this variable will not be escaped). ```javascript var name = `<strong>Antonio</strong>`; var string = html`Hello, $${name}!`; // "Hello, <strong>Antonio</strong>!" ``` ### HTML Template Pre-Compiling This small module can also be used to pre-compile HTML templates: ```javascript var html = require("html-template-tag"); // - or - import html from "html-template-tag"; var data = { count: 2, names: ["Antonio", "Megan"], }; var template = ({ names }) => html` <ul> ${names.map((name) => html` <li>Hello, ${name}!</li> `)} </ul> `; var string = template(data); /* " <ul> <li>Hello, Antonio!</li> <li>Hello, Megan!</li> </ul> " */ ``` > NB: The formating of the string literal is kept. ### Interpolation inside URI attributes To avoid XSS attacks, this package removes all interpolation instide URI attributes ([more info](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)). This package also ensures that interpolations inside attributes are properly escaped. ## License MIT ## Thanks The code for this module has been heavily inspired on [Axel Rauschmayer's post on HTML templating with ES6 template strings](http://www.2ality.com/2015/01/template-strings-html.html) and [Stefan Bieschewski's comment](http://www.2ality.com/2015/01/template-strings-html.html#comment-2078932192).