Sanitizer: sanitize() method

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

The sanitize() method of the Sanitizer interface is used to sanitize a tree of DOM nodes, removing any unwanted elements or attributes.

It should be used when the data to be sanitized is already available as DOM nodes. For example when sanitizing a Document instance in a frame.

The default Sanitizer() configuration strips out XSS-relevant input by default, including <script> tags, custom elements, and comments. The sanitizer configuration may be customized using Sanitizer() constructor options.

Note: To sanitize strings, instead use Element.setHTML(). See HTML Sanitizer API for more information.

Syntax

js
sanitize(input)

Parameters

input

A DocumentFragment or Document to be sanitized.

Return value

A sanitized DocumentFragment.

Exceptions

None.

Examples

To sanitize data from an iframe with id userFrame:

js
const sanitizer = new Sanitizer(); // Default sanitizer;

// Get the frame and its Document object
const frame_element = document.getElementById("userFrame");
const unsanitized_frame_tree = frame_element.contentWindow.document;

// Sanitize the document tree and update the frame.
const sanitized_frame_tree = sanitizer.sanitize(unsanitized_frame_tree);
frame_element.replaceChildren(sanitized_frame_tree);

Specifications

Specification
HTML Sanitizer API
# dom-sanitizer-sanitize

Browser compatibility

BCD tables only load in the browser

See also