Sanitizer()

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The Sanitizer() constructor creates a new Sanitizer object, which can be used to sanitize untrusted strings of HTML, or untrusted Document or DocumentFragment objects, making them safe for insertion into a document's DOM.

The default Sanitizer() configuration causes sanitizer operations to strip out XSS-relevant input by default, including <script> tags, custom elements, and comments. The constructor config option can be used to customize the sanitizer behavior.

Syntax

new Sanitizer()
new Sanitizer(config)

Parameters

config Optional

A sanitizer configuration object with the following options (referred to as SanitizerConfig in the specification):

allowElements Optional: An Array of strings indicating elements that the sanitizer should not remove.
blockElements Optional: An Array of strings indicating elements that the sanitizer should remove, but keeping their child elements.
dropElements Optional: An Array of strings indicating elements (including nested elements) that the sanitizer should remove.
allowAttributes Optional: An Array of strings indicating the attributes on an element that the sanitizer should not remove.
dropAttributes Optional: An Array of strings indicating attributes that the sanitizer should remove.
allowCustomElements Optional: A Boolean value set to false (default) to remove custom elements and their children. If set to true, custom elements will be subject to built-in and custom configuration checks (and will be retained or dropped based on those checks).
allowComments Optional: A Boolean value set to false (default) to remove HTML comments. Set to true in order to keep comments.

Examples

The examples below show a sanitization operation using the Sanitizer.sanitizeFor() method. This method takes as inputs a string of HTML to sanitize and the context (tag) in which it is sanitized, and returns a sanitized node object for the specified tag. To simplify the presentation the result that is shown is actually the innerHTML of the returned object.

Note: The API only sanitizes HTML in strings in the context of a particular element/tag. For more information see HTML Sanitizer API (and Sanitizer.sanitizeFor()).

Using the default sanitizer

This example shows the result of sanitizing a string with disallowed script element using the default sanitizer (in a div context).

const unsanitized = "abc <script>alert(1)<" + "/script> def";
const sanitized =  new Sanitizer().sanitizeFor("div", unsanitized);
// Result (innerHTML of 'sanitized'): script will be removed: "abc alert(1) def"

Specifications

Specification
HTML Sanitizer API # dom-sanitizer-sanitizer

Browser compatibility

BCD tables only load in the browser