Template Literals

function html(strings, ...values) { /* implement later */ }
function escape`template` { /* implement later */ }
function html(strings, ...values) { return strings.reduce((result, str, i) => result + str + (values[i] ? String(values[i]).replace(/[&<>"']/g, c => `&#${c.charCodeAt(0)};`) : ''), ''); }
The correct implementation of a tag function that escapes HTML special characters in interpolated values is option 3. This function uses the tagged template pattern where the first parameter 'strings' is an array of the string literals, and '...values' captures all interpolated values. The function then uses reduce() to reconstruct the template, but with HTML special characters in the interpolated values escaped. For each string part, it adds the string followed by the corresponding value (if it exists), after escaping characters like &, <, >, ", and ' with their HTML entity numeric codes. This pattern is useful for preventing XSS (Cross-Site Scripting) attacks when inserting dynamic content into HTML. Options 1 and 2 are just placeholders without implementation, and option 4 doesn't handle template interpolation correctly as it just processes a single string.
function html(template) { return template.replace(/[&<>"']/g, c => `&#${c.charCodeAt(0)};`); }