Micromark HTML Character Encoder

2.0.1 · active · verified Sun Apr 19

micromark-util-encode is a focused utility package within the micromark ecosystem, designed specifically for encoding dangerous HTML characters to ensure text is safe for embedding in HTML documents. Its current stable version is 2.0.1, part of the 2.x release line which maintains compatibility with Node.js 16 and higher. As a component of the unified collective, it follows a pragmatic release cadence often aligned with major micromark and Node.js version updates. This package differentiates itself by providing a robust, performant, and standards-compliant algorithm for HTML escaping, specifically tailored for the needs of markdown processors and related text transformation tools, where correctness and minimal overhead are critical. It is fully typed with TypeScript, ensuring good developer experience for static analysis and type safety.

Common errors

```
ERR_REQUIRE_ESM
```
cause Attempting to `require()` an ESM-only package in a CommonJS context.

fix Change `const { encode } = require('micromark-util-encode')` to `import { encode } from 'micromark-util-encode'` and ensure your project is configured for ES modules.
```
TypeError: encode is not a function
```
cause Trying to import `encode` as a default import when it is a named export.

fix Ensure you are using named imports: `import { encode } from 'micromark-util-encode'`.

Warnings

breaking Version 2.x of `micromark-util-encode` is ESM-only. Direct `require()` calls for this package will result in an error.
Fix: Migrate your project to use ES modules (`import`) or ensure you're using a bundler/transpiler that handles ESM correctly. For Node.js, ensure your package.json specifies `"type": "module"` or use `.mjs` files.
breaking Version 2.x of `micromark-util-encode` officially supports Node.js 16 and higher. Older Node.js versions are not guaranteed to work and may encounter runtime errors.
Fix: Upgrade your Node.js environment to version 16 or newer. For projects requiring older Node.js compatibility, consider pinning to `micromark-util-encode@1.x` if available and compatible with your `micromark` version.
gotcha The `encode` function specifically targets HTML characters (<, >, &, ", '). It does not perform full URL encoding or sanitize other potentially unsafe content like CSS injections or script execution from attributes (e.g., `onerror`).
Fix: Always understand the specific scope of encoding. For broader security, combine with other sanitization libraries or consider a full templating engine that handles auto-escaping.

Install

npm install micromark-util-encode npm
yarn add micromark-util-encode yarn
pnpm add micromark-util-encode pnpm

Imports

encode

wrong:

const { encode } = require('micromark-util-encode')

correct:

import { encode } from 'micromark-util-encode'

This package is ESM-only. CommonJS `require()` is not supported.

encode (default)
wrong:
```
import encode from 'micromark-util-encode'
```
correct:
```
import { encode } from 'micromark-util-encode'
```
There is no default export; the `encode` function must be imported as a named export.
Types
```
import type { Value } from 'micromark-util-types'
```
While this package is fully typed, it exports no additional types directly. Core types for `micromark` are often found in `micromark-util-types` or inferred from usage.

Quickstart

Demonstrates how to import and use the `encode` function to escape common HTML special characters for safe embedding.

import { encode } from 'micromark-util-encode';

const unsafeHtml = '<script>alert("XSS")</script> & <img src="x" onerror="alert(\'Error\')">';
const safeHtml = encode(unsafeHtml);

console.log('Original:', unsafeHtml);
console.log('Encoded:', safeHtml);
// Expected output: Original: <script>alert("XSS")</script> & <img src="x" onerror="alert(\'Error\')">
// Expected output: Encoded: &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt; &amp; &lt;img src=&quot;x&quot; onerror=&quot;alert(&#x27;Error&#x27;)&quot;&gt;

view raw JSON →