# he [![Build status](https://travis-ci.org/mathiasbynens/he.svg?branch=master)](https://travis-ci.org/mathiasbynens/he) [![Code coverage status](https://codecov.io/github/mathiasbynens/he/coverage.svg?branch=master)](https://codecov.io/github/mathiasbynens/he?branch=master) [![Dependency status](https://gemnasium.com/mathiasbynens/he.svg)](https://gemnasium.com/mathiasbynens/he) _he_ (for “HTML entities”) is a robust HTML entity encoder/decoder written in JavaScript. It supports [all standardized named character references as per HTML](https://html.spec.whatwg.org/multipage/syntax.html#named-character-references), handles [ambiguous ampersands](https://mathiasbynens.be/notes/ambiguous-ampersands) and other edge cases [just like a browser would](https://html.spec.whatwg.org/multipage/syntax.html#tokenizing-character-references), has an extensive test suite, and — contrary to many other JavaScript solutions — _he_ handles astral Unicode symbols just fine. [An online demo is available.](https://mothereff.in/html-entities) ## Installation Via [npm](https://www.npmjs.com/): ```bash npm install he ``` Via [Bower](http://bower.io/): ```bash bower install he ``` Via [Component](https://github.com/component/component): ```bash component install mathiasbynens/he ``` In a browser: ```html ``` In [Node.js](https://nodejs.org/), [io.js](https://iojs.org/), [Narwhal](http://narwhaljs.org/), and [RingoJS](http://ringojs.org/): ```js var he = require('he'); ``` In [Rhino](http://www.mozilla.org/rhino/): ```js load('he.js'); ``` Using an AMD loader like [RequireJS](http://requirejs.org/): ```js require( { 'paths': { 'he': 'path/to/he' } }, ['he'], function(he) { console.log(he); } ); ``` ## API ### `he.version` A string representing the semantic version number. ### `he.encode(text, options)` This function takes a string of text and encodes (by default) any symbols that aren’t printable ASCII symbols and `&`, `<`, `>`, `"`, `'`, and `` ` ``, replacing them with character references. ```js he.encode('foo © bar ≠ baz 𝌆 qux'); // → 'foo © bar ≠ baz 𝌆 qux' ``` As long as the input string contains [allowed code points](https://html.spec.whatwg.org/multipage/parsing.html#preprocessing-the-input-stream) only, the return value of this function is always valid HTML. Any [(invalid) code points that cannot be represented using a character reference](https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrides) in the input are not encoded: ```js he.encode('foo \0 bar'); // → 'foo \0 bar' ``` However, enabling [the `strict` option](https://github.com/mathiasbynens/he#strict) causes invalid code points to throw an exception. With `strict` enabled, `he.encode` either throws (if the input contains invalid code points) or returns a string of valid HTML. The `options` object is optional. It recognizes the following properties: #### `useNamedReferences` The default value for the `useNamedReferences` option is `false`. This means that `encode()` will not use any named character references (e.g. `©`) in the output — hexadecimal escapes (e.g. `©`) will be used instead. Set it to `true` to enable the use of named references. **Note that if compatibility with older browsers is a concern, this option should remain disabled.** ```js // Using the global default setting (defaults to `false`): he.encode('foo © bar ≠ baz 𝌆 qux'); // → 'foo © bar ≠ baz 𝌆 qux' // Passing an `options` object to `encode`, to explicitly disallow named references: he.encode('foo © bar ≠ baz 𝌆 qux', { 'useNamedReferences': false }); // → 'foo © bar ≠ baz 𝌆 qux' // Passing an `options` object to `encode`, to explicitly allow named references: he.encode('foo © bar ≠ baz 𝌆 qux', { 'useNamedReferences': true }); // → 'foo © bar ≠ baz 𝌆 qux' ``` #### `decimal` The default value for the `decimal` option is `false`. If the option is enabled, `encode` will generally use decimal escapes (e.g. `©`) rather than hexadecimal escapes (e.g. `©`). Beside of this replacement, the basic behavior remains the same when combined with other options. For example: if both options `useNamedReferences` and `decimal` are enabled, named references (e.g. `©`) are used over decimal escapes. HTML entities without a named reference are encoded using decimal escapes. ```js // Using the global default setting (defaults to `false`): he.encode('foo © bar ≠ baz 𝌆 qux'); // → 'foo © bar ≠ baz 𝌆 qux' // Passing an `options` object to `encode`, to explicitly disable decimal escapes: he.encode('foo © bar ≠ baz 𝌆 qux', { 'decimal': false }); // → 'foo © bar ≠ baz 𝌆 qux' // Passing an `options` object to `encode`, to explicitly enable decimal escapes: he.encode('foo © bar ≠ baz 𝌆 qux', { 'decimal': true }); // → 'foo © bar ≠ baz 𝌆 qux' // Passing an `options` object to `encode`, to explicitly allow named references and decimal escapes: he.encode('foo © bar ≠ baz 𝌆 qux', { 'useNamedReferences': true, 'decimal': true }); // → 'foo © bar ≠ baz 𝌆 qux' ``` #### `encodeEverything` The default value for the `encodeEverything` option is `false`. This means that `encode()` will not use any character references for printable ASCII symbols that don