XSS Protection HTML Entities

Question

Do you think that this functions are enough to prevent XSS if used to filter user input? And should I really make my own or use XSS libraries available? Give me constructive criticism please. Thank you everyone.

/**
 * Escape HTML string to prevent XSS.
 */
export const escapeHtml = (string: string): string => {
    if (isString(string)) {
        const entityMap = {
            "&": "&",
            "<": "&lt;",
            ">": "&gt;",
            '"': "&quot;"
        };
        return string.slice(0, string.length).replace(/[&<>"]/g, (s: string): string => entityMap[s]);
    }
    return string;
};

/**
 * Loop over Object to escape each of its value to prevent XSS.
 */
export const escapeHtmlQueryObject = (obj: { [string]: string }): { [string]: string } => {
    let result = obj;
    if (obj && isObject(obj)) {
        result = Object.keys(obj).reduce((res: { [string]: string }, key: string): {
            [string]: string
        } => {
            res[key] = escapeHtml(obj[key]);
            return res;
        }, {});
    } else if (process.env.NODE_ENV !== "production" && process.env.NODE_ENV !== "test") {
        console.error(`FilterXSSQueryObject can't process ${obj.toString()}`);
    }
    return result;
};

Answer 1

Compared to this answer, you may want to escape single quotes also.

That said, if you want to make sure your code is secure, it may be better to rely on a library that has been battle tested by security experts.

People don't like loading libraries for small things, but this is an important small thing, so I wouldn't mind it.

Unrelated: it seems that you're iterating over an object's keys to access its values in a roundabout way using Object.keys, but you can also just use Object.values.