Escape
ELI5 — The Vibe Check
Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command. Like turning < into < so the browser shows it as text instead of running it as code. Escaping is context-specific: HTML escaping, SQL escaping, and shell escaping are all different.
Real Talk
Escaping is the process of converting special characters into their escaped equivalents for the current context, preventing injection attacks. HTML escaping converts <, >, &, ', " to HTML entities. SQL escaping uses parameterized queries. Shell escaping uses libraries like shellescape.
Show Me The Code
// HTML escaping prevents XSS
function escapeHtml(str) {
return str
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''');
}
// Most templating engines (Handlebars, Jinja2) escape by default
// {{ userInput }} ← escaped
// {{{ userInput }}} ← raw, dangerous!
When You'll Hear This
"Escape all user-supplied data before inserting it into HTML." / "Handlebars escapes by default — use triple braces only when you trust the content."
Related Terms
Encoding
Encoding is converting data into a different format for safe transport or storage — not for security, but to prevent misinterpretation.
Input Validation
Input validation is checking that user input is what you expect before using it.
Sanitization
Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.
SQL Injection
SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.
XSS (XSS)
XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.