ShadowRoot: setHTMLUnsafe() method

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

The setHTMLUnsafe() method of the ShadowRoot interface is used to parse a string of HTML into a DocumentFragment, which then replaces the element's subtree in the DOM. The input HTML may include declarative shadow roots.

The suffix "Unsafe" in the method name indicates that the method does not sanitize or remove potentially unsafe XSS-relevant input, such as <script> elements, and script or event handler content attributes.

If the string of HTML defines more than one declarative shadow root in a particular shadow host then only the first ShadowRoot is created — subsequent declarations are parsed as <template> elements within that shadow root.

Note: This method should be used instead of ShadowRoot.innerHTML when a string of HTML may contain declarative shadow roots.

Syntax

setHTMLUnsafe(html)

Parameters

html: A string defining HTML to be parsed.

Specification
HTML Standard # dom-shadowroot-sethtmlunsafe

Browser compatibility

BCD tables only load in the browser

ShadowRoot: setHTMLUnsafe() method

Limited availability

Syntax

Parameters

Return value

Exceptions

Specifications

Browser compatibility

See also