Skip to content

Instantly share code, notes, and snippets.

@daformat
Created July 17, 2023 04:55
const str = "<svg onload=alert(1)>";
const host = typeof document !== 'undefined' ? document.createElement("p") : undefined;
let converted
if (host) {
host.textContent = str;
converted = host.innerHTML;
} else {
converted = str.replaceAll('<', '&lt;').replaceAll('>', '&gt;')
}
console.log(converted)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment