Sanitizer()

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The Sanitizer() constructor creates a new Sanitizer object, which can be used to sanitize untrusted strings of HTML, or untrusted Document or DocumentFragment objects, making them safe for insertion into a document's DOM.

The default Sanitizer() configuration causes sanitizer operations to strip out XSS-relevant input by default, including <script> tags, custom elements, and comments. The constructor config option can be used to customize the sanitizer behavior.

Syntax

new Sanitizer()
new Sanitizer(config)

Parameters

config Optional

A sanitizer configuration object with the following options (referred to as SanitizerConfig in the specification):

allowElements Optional

An Array of strings indicating elements that the sanitizer should not remove.

blockElements Optional

An Array of strings indicating elements that the sanitizer should remove, but keeping their child elements.

dropElements Optional

An Array of strings indicating elements (including nested elements) that the sanitizer should remove.

allowAttributes Optional

An Array of strings indicating the attributes on an element that the sanitizer should not remove.

dropAttributes Optional

An Array of strings indicating attributes that the sanitizer should remove.

allowCustomElements Optional

A Boolean value set to false (default) to remove custom elements and their children. If set to true, custom elements will be subject to built-in and custom configuration checks (and will be retained or dropped based on those checks).

allowComments Optional

A Boolean value set to false (default) to remove HTML comments. Set to true in order to keep comments.

Examples

The examples below show a sanitization operation using the Sanitizer.sanitizeFor() method. This method takes as inputs a string of HTML to sanitize and the context (tag) in which it is sanitized, and returns a sanitized node object for the specified tag. To simplify the presentation the result that is shown is actually the innerHTML of the returned object.

Note: The API only sanitizes HTML in strings in the context of a particular element/tag. For more information see HTML Sanitizer API (and Sanitizer.sanitizeFor()).

Using the default sanitizer

This example shows the result of sanitizing a string with disallowed script element using the default sanitizer (in a div context).

const unsanitized = "abc <script>alert(1)<" + "/script> def";
const sanitized =  new Sanitizer().sanitizeFor("div", unsanitized);
// Result (innerHTML of 'sanitized'): script will be removed: "abc alert(1) def"

Specifications

Specification
HTML Sanitizer API
# dom-sanitizer-sanitizer

Browser compatibility

BCD tables only load in the browser