/**
* Escapes HTML special characters to prevent XSS attacks.
* Use this when inserting dynamic content into HTML strings.
*/
export function escapeHtml(unsafe: string | null | undefined): string {
if (unsafe == null) return ''
return String(unsafe)
.replace(/&/g, '&')
.replace(//g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
}
/**
* Escapes HTML for use in HTML attributes.
* More restrictive than escapeHtml - also escapes backticks and equals.
*/
export function escapeAttr(unsafe: string | null | undefined): string {
if (unsafe == null) return ''
return escapeHtml(unsafe)
.replace(/`/g, '`')
.replace(/=/g, '=')
}