Hi!
In the HTML node to generate HTML templates, there is a warning for XSS attacks, which is great! However, n8n users have no built-in way to escape HTML characters (" ’ < > &) from incoming $json.
I think it would be a great idea to add this function:
function escapeHTML(str) {
return str.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''');
}
to the built-in convenience functions for strings.
What do you think?
Thank you!