---
title: html``
description: An XSS-safe tagged template for building HTML strings with automatic escaping and signal interpolation.
order: 303
---
# HTML
An XSS-safe tagged template for building HTML strings. This is ilha's low-level templating API: you can use it directly, but JSX is the preferred authoring style for most apps.
Because `html`` ` is plain TypeScript/JavaScript, it does not require JSX syntax, a JSX runtime import, or a build transform. That makes it a great fit for no-build apps, small scripts, server-only rendering, or any place where you want ilha's escaping and composition rules without JSX tooling.
Interpolated values are HTML-escaped by default, making the safe path the default and explicit opt-in required for raw markup.
## Basic usage
```ts twoslash
import { html } from "ilha";
const name = "";
html`
${name}
`;
// →
<script>alert(1)</script>
```
## Interpolation rules
| Value type | Behavior |
| -------------------- | ------------------------------------------ |
| `string` / `number` | HTML-escaped |
| `null` / `undefined` | Omitted — renders as empty string |
| `raw(str)` | Inserted as-is, no escaping |
| `html\`…\`` | Inserted as-is, already safe |
| Signal accessor | Called automatically, value is escaped |
| Array | Each item processed recursively, no commas |
## Escaping
All string and number interpolations are escaped automatically:
```ts twoslash
import { html } from "ilha";
const userInput = ``;
const count = 42;
html`
${userInput}
`; // →
<img src=x…>
html`
${count}
`; // →
42
```
The characters `&`, `<`, `>`, `"`, and `'` are all escaped.
## Skipping null and undefined
`null` and `undefined` are silently omitted, making conditional rendering clean:
```ts twoslash
import { html } from "ilha";
const error = null;
html`
${error}
`;
// →
```
## Trusted markup with `raw()`
When you need to inject pre-sanitized or server-controlled markup, use [`raw()`](/guide/helpers/raw) to opt out of escaping:
```ts twoslash
import { html, raw } from "ilha";
const icon = ``;
html``;
// →
```
Only use `raw()` with markup you fully control. Never pass user input to `raw()`.
## Nesting html`` results
Results of html`` are already safe and pass through unescaped when interpolated into a parent template. This is the foundation of composable templates:
```ts twoslash
import { html } from "ilha";
const badge = html`New`;
html`
${badge}
Content
`;
// →
New
Content
```
## Signal accessors
Signal accessors can be interpolated without calling them. ilha detects signal accessors and calls them automatically, then escapes the result:
```ts twoslash
import ilha, { html } from "ilha";
const Island = ilha
.state("label", "hello")
// [!code highlight]
.render(({ state }) => html`
${state.label}
`);
```
Both forms are equivalent. The no-call shorthand is purely a convenience.
## List rendering
Arrays are processed recursively with no comma joining. The canonical list pattern is:
```ts twoslash
import { html } from "ilha";
const fruits = ["apple", "banana", "cherry"];
html`
${fruits.map((fruit) => html`
${fruit}
`)}
`;
// →
apple
banana
cherry
```
Each html`` result in the array passes through unescaped. Mixed arrays of strings and html`` results also work — each item is processed by its own rules.
## Whitespace and indentation
`html\`\`` automatically strips leading and trailing blank lines and dedents the template based on the minimum indentation found. This keeps rendered output clean regardless of how the template is indented in source:
```ts twoslash
import { html } from "ilha";
const result = html`
Hello
`;
// →
\n
Hello
\n
```
## Return type
html`` returns a `RawHtml` object, not a plain string. This lets ilha distinguish between trusted and untrusted content when the result is interpolated into another template. To get the plain string value, access `.value` or let ilha unwrap it at a render boundary:
```ts twoslash
import { html } from "ilha";
const result = html`
hello
`;
result.value; // → "
hello
"
```
In practice you rarely need to access `.value` directly — ilha handles unwrapping automatically at render time.
## Notes
- html`` is purely a runtime helper with no compiler step. It works in any JavaScript environment including Node, Bun, Deno, and the browser.
- Do not use html`` for CSS or attribute values where HTML escaping is not appropriate. Use the [css``](/guide/helpers/css) tag for stylesheets and plain template literals for everything else.