Sanitizer

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

The Sanitizer interface of the HTML Sanitizer API is used to sanitize untrusted strings of HTML, Document and DocumentFragment objects. After sanitization, unwanted elements or attributes are removed, and the returned objects can safely be inserted into a document's DOM.

A Sanitizer object is also used by the Element.setHTML() method to parse and sanitize a string of HTML, and immediately insert it into an element.

The default configuration strips out XSS-relevant input by default, including <script> tags, custom elements, and comments. This configuration may be customized using constructor options.

Constructors

Sanitizer() Deprecated

Creates and returns a Sanitizer object, optionally with custom sanitization behavior.

Instance methods

Sanitizer.sanitize() Deprecated

Returns a sanitized DocumentFragment from an input Document or DocumentFragment

Examples

For examples see the HTML Sanitizer API and the individual methods.

Specifications

Specification
HTML Sanitizer API
# sanitizer-api

Browser compatibility

BCD tables only load in the browser