Sanitizer
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
The Sanitizer
interface of the HTML Sanitizer API
is used to sanitize untrusted strings of HTML, Document
and DocumentFragment
objects.
After sanitization, unwanted elements or attributes are removed, and the returned objects can safely be inserted into a document's DOM.
A Sanitizer
object is also used by the Element.setHTML()
method to parse and sanitize a string of HTML, and immediately insert it into an element.
The default configuration strips out XSS-relevant input by default, including <script>
tags, custom elements, and comments.
This configuration may be customized using constructor options.
Constructors
Sanitizer()
Experimental-
Creates and returns a
Sanitizer
object, optionally with custom sanitization behavior.
Instance methods
Sanitizer.sanitize()
Experimental-
Returns a sanitized
DocumentFragment
from an inputDocument
orDocumentFragment
Examples
For examples see the HTML Sanitizer API
and the individual methods.
Specifications
Specification |
---|
HTML Sanitizer API # sanitizer-api |
Browser compatibility
BCD tables only load in the browser