es6標簽模板轉義html

function SaferHTML(templateData) {
  let s = templateData[0]
  for (let i = 1; i < arguments.length; i++) {
    let arg = String(arguments[i])
 
    // Escape special characters in the substitution.
    s += arg.replace(/&/g, '&amp;')
      .replace(/</g, '&lt;')
      .replace(/>/g, '&gt;')
 
    // Don't escape special characters in the template.
    s += templateData[i]
  }
  return s
}

let sender = '<script>alert("abc")&nbsp;</script>' // 惡意代碼
let message = SaferHTML`<p>${sender} has sent you a message.</p>`
console.log(message)    // <p>&lt;script&gt;alert("abc")&amp;nbsp;&lt;/script&gt; has sent you a message.</p>