Since: DataTables 2.0

Escape HTML entities to make a user input string safe.


DataTables is required to write to the document, which can be an unsafe operation if the data being displayed is not pre-sanitized - i.e. a hacker might attempt an injection hack. DataTables provides helper functions to address this concern and we expose the escaping function for use by extensions and plug-ins for DataTables.

This method does not attempt to encode all HTML entities, but rather to just make a simple string safe for display. This simple form is chosen for performance and meeting the requirements of most use cases. However, there are circumstances whereby you might need a more complex HTML encoder. For such cases this function can be used as a setter to give DataTables a function that it should use for escaping HTML. If used this way, the escaping function should accept a single parameter and return a sanitized string.


function escapeHtml( str )


Escape entities in a string.


Sanitized string

function escapeHtml( fn )


Set the HTML escaping function.


Escape HTML in a string:

let sanitized = DataTable.util.escapeHtml('<a href="...">Link</a>');

// sanitized is: '&lt;a href=&quot;...&quot;&gt;Link&lt;/a&gt;'